Powerful Stone Starling - If user overpays for priceFeed update he will not be refunded

[sherlock-admin2]

Powerful Stone Starling

Medium

If user overpays for priceFeed update he will not be refunded

Summary

When user overpays for overpaid amount of the price update in the pyth oracle, the overpaid amount will not be refunded

Root Cause

In the updatePrice when the user submit extra amount of eth, he will not be refunded.

uint fee = pythOracle.getUpdateFee(priceUpdate);
 @>>      pythOracle.updatePriceFeeds{value: fee}(priceUpdate);

        IPyth.Price memory price = pythOracle.getPriceNoOlderThan(
            tokenId,
            uint256(uint64(noOlderThan))
        );
        

Internal pre-conditions

No response

External pre-conditions

User overpays for fee and he expects extra fee to be returned

Attack Path

No response

Impact

Extra amount paid by the user remains in the contract, if the user overpaid by a big amount he will be saddened by this event.

PoC

No response

Mitigation

Consider returning the extra fee to the user.

.     .    . 
uint fee = pythOracle.getUpdateFee(priceUpdate);
        pythOracle.updatePriceFeeds{value: fee}(priceUpdate);

        IPyth.Price memory price = pythOracle.getPriceNoOlderThan(
            tokenId,
            uint256(uint64(noOlderThan))
        );
uint extraValue = msg.value - fee;
msg.sender.call(value: extraValue)();