Pyth is a first party financial oracle with real-time market data on-chain. It aims to bring valuable financial market data to DeFi applications and the general public. Being native to solana, the prices can only be read by clients on the same network. Pyth2Wormhole leverages the cross-chain arbitrary messaging in Wormhole to bridge the price data to other chains, such as Ethereum and Terra.

Zellic conducted an audit for Pyth Data Foundation from April 18th to April 27th, 2022 on the scoped contracts and discovered 4 findings. Despite the overall good code quality, one critical severity issue was found.

Two of the remaining issues are deemed low severity, and the last finding is reported as informational. Additionally, Zellic recorded its notes and observations from the audit for Pyth Data Foundation's benefit at the end of the document.

Zellic thoroughly reviewed the Pyth2Wormhole codebase to find protocol-breaking bugs as defined by the documentation, or any technical issues outlined in the Methodology section of this document. Specifically, taking into account Pyth2Wormhole's threat model and discussions with the team, the audit was focused heavily on issues that could cause major disruptions on the target chains, such as publishing fake or stale pricing data.

Our general overview of the code is that it was well-organized and structured. The Ethereum and Terra codebases are paired with comprehensive testsuites covering the majority of the functions. The documentation was adequate, although it could be improved to provide more safety notices to end users. The code was easy to comprehend, and in most cases, intuitive.