Prevent new price feed updates
In the CosmWasm contract, the update_price_feed_if_new()
function is used to check whether a submitted price feed update is considered new or old. New price feed updates have a publish_time
property that is after the publish_time
property of the previously accepted price feed update. Only new price feed updates can change the state of the contract, as old price feed updates are rejected.
The publish_time
property itself is published by the oracle contract on Pythnet. This property has a type of i64
. If the oracle contract publishes the maximum i64
value for publish_time
(either due to a bug or a compromise), then any subsequent price feed updates will be rejected, as the publish_time
cannot go higher than the maximum i64
value.
We have verified that the oracle contract simply uses the Solana clock's current timestamp for the publish_time
property of the new price feed update. Therefore, this issue is currently mitigated, as the caller has no way to maliciously control the publish_time
property of the submitted price feed update.
However, we find it important to note that the core issue here is that the CosmWasm contract itself does not completely validate the arguments that are passed to it. Therefore, if the oracle or the attestation contract are compromised, the mitigations may not exist anymore, and thus the code will become open to exploitation. This would allow an attacker to submit a price feed update for a non-sensical price, or brick the CosmWasm contract by providing invalid arguments.