Description

Contract Pyth (Pyth.sol) contains a public initializer function without any modifiers enforcing access control:

function initialize(
    address wormhole,
    uint16 pyth2WormholeChainId,
    bytes32 pyth2WormholeEmitter
) virtual public {        
  setWormhole(wormhole);
  setPyth2WormholeChainId(pyth2WormholeChainId);
  setPyth2WormholeEmitter(pyth2WormholeEmitter);
}

An attacker could call this function and set the Wormhole address, Chain ID and Emitter address to any arbitrary value.

At present, the function cannot be called by an attacker since it is overridden by PythUpgradable::initialize, a function with the same prototype that does perform the appropriate access control checks. However, having such a dangerous function exposes Pyth to an unneeded risk of it being inadvertently made reachable by an attacker with a future code refactoring.

Impact

If the function was to be exposed e.g. in a future code refactor, an attacker could call it and trivially take over the contract by setting arbitrary values for the Wormhole and Emitter contracts. This would allow them to submit arbitrary price attestations.

Recommendations

We recommend one of the following remediations:

• Apply initializer modifier to Pyth::initialize

• Rename Pyth::initialize and mark it as private

Remediation

The finding has been acknowledged by Pyth Data Foundation. Their official response is reproduced below:

Pyth Data Association acknowledges the finding, but doesn’t believe it has security implications. However, we may deploy a bug fix to address it.