Wonderful Chartreuse Cat - PythOracle does not verify the confidence interval.

[sherlock-admin4]

Wonderful Chartreuse Cat

Medium

PythOracle does not verify the confidence interval.

Summary

The price data returned from Pyth includes a confidence interval. Refer to the Pyth documentation here for more details.

Due to the fact that PythOracle uses the getPriceUnsafe() function to retrieve the latest reported price and the fact that Pyth prices can be updated by anyone, an attacker can update already fresh data with a new price that has a larger confidence interval.

From Pyth perspective, such a price is not invalid because the confidence interval is part of the reported price. It is the user responsibility to confirm that the given confidence level is sufficient.

As such, a price with high uncertainty can be used by a malicious actor to inflate or deflate a currently fresh and certain price. This could force the liquidation of any user whose position is close to crossing the liquidation shortfall.

Root Cause

The confidence interval of the reported price is not properly validated, and any given price is accepted as valid. here

Internal pre-conditions

None.

External pre-conditions

• A fresh but not confident price is available, which can be used to update the Pyth price feed.

Impact

• A borrower position can be force-liquidated based on a highly uncertain price.

Mitigation

Consider utilizing the confidence interval provided by the Pyth price feed, as recommended in the official documentation. This approach helps mitigate the risk of users exploiting invalid prices.

        if (pythPrice.conf > uint64(pythPrice.price) * maxConfWidth / BASIS_POINTS) {
            return (0, 0);
        }