rilwan99 - DebitaPyth.sol: uses 600s instead of 90s in getThePrice()

[sherlock-admin2]

rilwan99

Medium

DebitaPyth.sol: uses 600s instead of 90s in getThePrice()

Summary

The DebitaPyth contract's getThePrice() function allows for price data that could be up to 10 minutes old (600 seconds).

This exposes the protocol to price manipulation risks and outdated price data in volatile market conditions.

https://github.com/sherlock-audit/2024-11-debita-finance-v3/blob/main/Debita-V3-Contracts/contracts/oracles/DebitaPyth.sol#L31-L35

Root Cause

10 mins is a long time window, and token prices can change drastically during this period. This would result in inaccurate/stale price being returned from the oracle.

Internal pre-conditions

No response

External pre-conditions

• Token price changes drastically within those 10 mins
• High float low FDV tokens are an example

Attack Path

No response

Impact

• Outdated price feeds could lead to inaccurate asset valuations
• Potential for price manipulation through strategic timing of transactions
• Higher risk during periods of high market volatility
• Could affect liquidations, collateral calculations, and other price-dependent

PoC

No response

Mitigation

Use 90 instead of 600 in getPriceNoOlderThan()