Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Pyth Oracle>High findings>Lack of rent exemption enforcement
GeneralOverview
Findings
High (2)Out-of-bounds writeLack of rent exemption enforcement
Low (1)
Informational (1)
DiscussionFuzz tests
Category: Business Logic

Lack of rent exemption enforcement

High Severity
High Impact
Low Likelihood

Description

To support the validators that maintain account state, Solana imposes rent on accounts. Every so often, if an account does not have more than the minimum required lamports to qualify as "rent exempt", an amount of lamports are collected as rent. If an account's balance hits 0, the data for the account is forgotten, effectively resetting the account. Thus, it is possible to reinitialize accounts which have run out of lamports.

Pyth uses accounts created and supplied by the caller to store data. Pyth does not require that these accounts maintain a balance large enough to qualify as "rent exempt". This means that a caller can supply an account with too few lamports, initialize it as a particular account type, and, after rent has drained the account, use the account as if it were brand new.

This type of confusion can be found everywhere in the code as rent is not enforced for any accounts supplied by the user.

Impact

The lack of rent exemption checks can result in invariants in the code breaking which can impact clients interacting with the state of these accounts or the contract itself.

For example, product accounts can only be placed into a map if they haven't been initialized yet. This step, using the add_product instruction, requires the product account to be initialized but the data field empty. This should only be true if the product account has never been used before, but because this account can be wiped out due to rent we can actually add this product account to multiple maps resulting in the product's prod_ field pointing to an incorrect map.

Recommendations

Pyth should either:

  1. Use Program Derived Accounts (PDA) to manage state and delegate signing authority in a way similar to Solana's Token accounts (with an owner or authority field on the PDA). These accounts should be created with a minimum "rent exempt" qualifying balance.

  2. Require all accounts supplied by the user to be rent exempt. It should be sufficient to update both valid_signable_account and valid_writable_account with this check to get the desired mitigation in place.

Remediation

The finding has been acknowledged by Pyth Data Association. Their official response is reproduced below:

Pyth Data Association acknowledges the finding and a security fix for this issue will be deployed on or before April 18th.

Zellic © 2024Back to top ↑