081.md

Loud Mocha Platypus

Medium

Confidence interval ignored in DebitaPyth.getThePrice()

Summary

Ignores confidence value for DebitaPyth.getThePrice(). Should not ignore it. Can be severe enough to cause issues reporting price, which in turn effects the oracle price related ratio values during offer matching.

Pyth Oracle best practices:

• https://docs.pyth.network/price-feeds/best-practices#confidence-intervals

"It can use a discounted price in the direction favorable to it. For example, a lending protocol valuing a user’s collateral can use the lower valuation price μ-σ. When valuing an outstanding loan position consisting of tokens a user has borrowed from the protocol, it can use the higher end of the interval by using the price μ+σ. This allows the protocol to be conservative with regard to its own health and safety when making valuations."

"It [PROTOCOL] can decide that there is too much uncertainty when σ/μ exceeds some threshold and choose to pause any new activity that depends on the price of this asset."

Examples from Pashov & OZ audits:

• https://solodit.cyfrin.io/issues/confidence-intervals-of-pyth-networks-prices-are-ignored-openzeppelin-none-anvil-audit-markdown
• https://solodit.cyfrin.io/issues/m-01-pyth-oracle-price-is-not-validated-properly-pashov-audit-group-none-nabla-markdown
• https://solodit.cyfrin.io/issues/m-03-confidence-interval-of-pyth-price-is-not-validated-pashov-audit-group-none-reyanetwork-august-markdown

Root Cause

See Summary.

Internal pre-conditions

See Summary.

External pre-conditions

See Summary.

Attack Path

See Summary.

Impact

See Summary.

PoC

See Summary.

Mitigation

// https://github.com/sherlock-audit/2024-11-debita-finance-v3/blob/main/Debita-V3-Contracts/contracts/oracles/DebitaPyth.sol#L25
    function getThePrice(address tokenAddress) public view returns (int) {
        // falta hacer un chequeo para las l2
        bytes32 _priceFeed = priceIdPerToken[tokenAddress];
        require(_priceFeed != bytes32(0), "Price feed not set");
        require(!isPaused, "Contract is paused");

        // Get the price from the pyth contract, no older than 90 seconds
        PythStructs.Price memory priceData = pyth.getPriceNoOlderThan(
            _priceFeed,
            600
        );

        // Check if the price feed is available and the price is valid
+       require(priceData.conf > 0 && (priceData.price / int64(priceData.conf)) < MIN_CONFIDENCE_RATIO, "conf too high");
        require(isFeedAvailable[_priceFeed], "Price feed not available");
        require(priceData.price > 0, "Invalid price");
        return priceData.price;
    }