Skip to content

Latest commit

 

History

History
49 lines (29 loc) · 1.19 KB

047.md

File metadata and controls

49 lines (29 loc) · 1.19 KB

Handsome Pineapple Mustang

Medium

wrong implement of pyth.getPriceNoOlderThan.

Summary

As we can see that pyth.getPriceNoOlderThan in getThePrice we are checking for 600 sec but in the comment it is written around 90 sec so we are checking the wrong stale price as price will change after 90 sec.

Root Cause

https://github.com/sherlock-audit/2024-11-debita-finance-v3/blob/main/Debita-V3-Contracts/contracts/oracles/DebitaPyth.sol#L32

function getThePrice(address tokenAddress) public view returns (int) { // falta hacer un chequeo para las l2 bytes32 _priceFeed = priceIdPerToken[tokenAddress]; require(_priceFeed != bytes32(0), "Price feed not set"); require(!isPaused, "Contract is paused");

    // Get the price from the pyth contract, no older than 90 seconds
    PythStructs.Price memory priceData = pyth.getPriceNoOlderThan(
        _priceFeed,
    @>>    600
    );

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

stale price may happen s we check the 600 sec in place of 90 sec.

PoC

No response

Mitigation

use 90 sec in place of 600 sec.