Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Pyth2Wormhole>Critical findings>Possible usage of stale price information
GeneralOverview
Findings
Critical (1)Possible usage of stale price information
Low (2)
Informational (1)
DiscussionExtraneous test condition in terra test codelatestPriceInfo does not check if price ID existsExtra check in attestHardcoded magic value
Category: Business Logic

Possible usage of stale price information

Critical Severity
Critical Impact
High Likelihood

Description

The following four separate issues when chained together lead to a critical outcome:

attest performs insufficient sanity checks

The attest function (from attest.rs) of the Solana attester contract does not enforce any restriction on the publication timestamp of the price being attested. Therefore, it could be leveraged to publish out of date pricing information when the prices have not been updated for a while.

Ethereum contract performs insufficient sanity checks

The Ethereum contract consuming price attestations does not perform any sanity check on the price publication timestamp. A last-resort check is performed in queryPriceFeed on the price attestation timestamp. This check is not particularly effective as the attestation timestamp represents when the attestation program attested the price information through Wormhole, not when the price itself was published.

Terra contract performs insufficient sanity checks

Similar to the ethereum contract, the terra contract does not perform any validation against the price publication timestamp. A check is performed in the query_price_info method against the attestation timestamp but as stated previously, it is not sufficient to determine the liveliness of the pricing data, but merely the liveness of the stream of pricing information.

Developer documentation misses important safety notice

The documentation does not recommend the user to check the publication timestamp when retrieving a price, significantly increasing the likelihood of an unsafe usage of the API. In addition, users cannot retrieve publication timestamp from IPyth interface but instead have to use queryPriceFeed, which is not a part of IPyth.

Impact

Stale price accounts can be passed to the attester program and reach Pyth users on other blockchain platforms. After discussion with the Pyth team, this category of publishing stale pricing information is considered critical. Pyth users are unlikely to have implemented sanity checks that prevent them from using outdated information since there's no recommendation to do so in Pyth documentation, and would therefore use the stale data.

Recommendations

Regarding the attester program:

  • refuse to attest outdated prices, for instance by checking the publish_time field of the PriceAttestation struct

Regarding the Ethereum smart contract:

  • If possible, add sanity checks on the price publication timestamp by default to all public facing functions

  • Otherwise, expand IPyth to expose the information required to implement those sanity checks, and clearly document the need for it

Regarding the Terra smart contract:

  • Implement sanity checks on the price publication timestamp by default for all public facing functions

Remediation

The finding has been acknowledged by Pyth Data Foundation. Their official response is reproduced below:

Pyth Data Association acknowledges the finding and developed a patch for this issue:

Zellic © 2024Back to top ↑