Pyth network is a first party financial oracle with real-time market data on-chain. It aims to bring valuable financial market data to DeFi applications and the general public. The network does so by incentivizing market participants (trading firms, market makers, and exchanges) to share the price data collected as part of their existing operations. The network aggregates this first-party price data and publishes it on-chain for use by either on or off-chain applications.

Zellic conducted an audit for Pyth Data Association from 28 March to 8 April 2022 on the scoped contracts and discovered 4 findings. Fortunately, no critical issues were found. We applaud Pyth for their attention to detail and diligence in maintaining high code quality standards. Of the 4 findings, 2 were of high impact, and 1 was of low impact. The remaining findings were informational in nature.

Pyth is an on-chain oracle aggregation network for real-time market data. Interestingly, it is written in C instead of Rust unlike the majority of programs on Solana. Each price product on the network has a list of verified publishers that are allowed to publish the market data. For this audit, we specifically focused on authorization and authentication flaws, both general to solana and specific to Pyth network that might lead to invalid or unauthorized price updates and would be of the highest impact.

Our general assessment of the code is that it is very well-written and maintained. The test suite covers nearly all of the main functionality, and the project has implemented generative fuzz testing for the pd math library. The documentation was clear, concise, and thorough. We hope Pyth continues their commitment to high code quality.