Pyth is a first party financial oracle with real-time market data on-chain. It aims to bring valuable financial market data to DeFi applications and the general public. Pyth intends to use the Solana smart contracts under audit as a tool to give stakeholders (holders of PYTH token) a way to make and vote proposals affecting Pyth's governance.
Zellic conducted an audit for Pyth Data Association from May 2nd to May 6th, 2022 on the scoped contracts and discovered 1 finding. We found the code to be correct, and did not discover exploitable security issues.
The discovered finding, while potentially very dangerous, is unexploitable and is thus reported as informational. Additionally, Zellic recorded its notes and observations from the audit for Pyth Data Association's benefit at the end of the document.
Zellic thoroughly reviewed the Pyth Governance codebase to find protocol-breaking bugs as defined by the documentation, or any technical issues outlined in the Methodology section of this document. Specifically, taking into account Pyth's threat model, we focused heavily on issues that would allow an attacker an unfair weight in Pyth governance voting, and issues that would allow withdrawal of funds that would bypass the exposure risk calculation as defined by the documentation.
Our general overview of the code is that it was correct and well structured. The code was not always intuitive, and we do think that there is some margin for improving code clarity, both by refactoring some the most complex functions and by adding more comments and documentation.