Skip to content

Latest commit

 

History

History
44 lines (26 loc) · 1.17 KB

059.md

File metadata and controls

44 lines (26 loc) · 1.17 KB

Decent Smoke Owl

High

Wrong check for stale price in PythOracle

Summary

The current price staleness check is incorrect. It verifies that the publish time is less than the last supported timestamp, whereas it should validate that the publish time is greater than the last supported timestamp.

Root Cause

In currentValue() function in PythOracle contract there is a check to ensure the price provided was updated in the last noOlderThan seconds. But it incorrectly uses < instead of >.

		 require(
            price.publishTime < block.timestamp - noOlderThan,
            "Stale Price"
        );

currentValue(): https://github.com/sherlock-audit/2024-11-oku/blob/ee3f781a73d65e33fb452c9a44eb1337c5cfdbd6/oku-custom-order-types/contracts/oracle/External/PythOracle.sol#L26C1-L33C6

Internal pre-conditions

N/A

External pre-conditions

N/A

Attack Path

No attack path, it happens in normal workflows.

Impact

Only stale prices can be used. If price was updated recently, the protocol wont work as this function( used to calculate exchange rate between tokens) is going to revert.

PoC

N/A

Mitigation

Use > instead of <.