Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lively Glossy Goat - Attacker will redeem tokens at stale prices #46

Open
sherlock-admin2 opened this issue Dec 21, 2024 · 1 comment
Open

Lively Glossy Goat - Attacker will redeem tokens at stale prices #46

sherlock-admin2 opened this issue Dec 21, 2024 · 1 comment
Labels
Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin2
Copy link
Contributor

Lively Glossy Goat

High

Attacker will redeem tokens at stale prices

Summary

There are no staleness checks on the pyth oracle used to value tokens, which will lead to attackers using very stale prices at the expense of other participants.

Root Cause

In PythOracle.sol:98, the oracle is using getPriceUnsafe() which does not have any staleness checks, and could potentially return the very first oracle value (assuming there have been no updates since then).

Internal Pre-conditions

  1. The PriceOracleAggregator needs to have been configured to use a PythOracle

External Pre-conditions

  1. The PythOracle's feed will need to not have been updated recently
  2. The market price of the token has moved since the last Pyth feed update

Attack Path

  1. A user that shouldn't be able to redeem tokens, because the price has moved against them, can still redeem, in spite of the liquidity check

Impact

Protocol insolvency, since the solvency checks will essentially be bypassed

PoC

No response

Mitigation

Use getPriceNoOlderThan() and store a max age for each Pyth oracle
@sherlock-admin3 sherlock-admin3 added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Dec 25, 2024
@ColonelSaito ColonelSaito mentioned this issue Dec 26, 2024
Merged
@sherlock-admin2
Copy link
Contributor Author

The protocol team fixed this issue in the following PRs/commits:
https://github.com/Mach-Finance/contracts/pull/8/files

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin2 @sherlock-admin3