Uneven Gingham Locust
Medium
The Pyth price feed returns confidence interval along with the price. The actual price of an asset can be any value in between price +/- confidence
.
The woofi program, while comparing the wooracle price against the Pyth price, completely ignores the confidence interval.
The Pyth price feed for BTC/USD faced an incident where the price returned has diverged from the actual price. The incident report notes the following:
Several Solana programs relying on Pyth prices were impacted by this incident. The impact was exacerbated due to some programs relying on the aggregate price feed without using the confidence, which allowed liquidations to occur even though the published price was highly uncertain.
The incident shows the importance of checking the confidence intervals for prices.
This could be problematic for the WooFi Solana as the Pyth price is essential to prevent any kind of price-manipulation attacks on WooFi.
The WooFi V2 Solidity has the same formulas as the WooFi Solana and the Sherlock audit report shows that pool can be drained in the absence of the Chainlink price feeds: Issue H-1 in the Sherlock WooFi audit
Note the proposed fix for H-1, i.e to update spread on posting new price, can be bypassed by doing swaps of small amounts while still impacting the price. It is more detailed in a different issue. The graph shows the price impact and when the spread is updated. x-axis
is number of base tokens without decimals.
The get_price_impl
function ignores the Pyth price confidence interval while computing the clo_price
:
No response
- Pyth price feed faces an incident and returns incorrect prices.
- Pyth price feed for SOL faces an incident and the reported price deviates from the actual price with increased confidence intervals.
- Attacker takes advantage of the incident to drain the protocol similar to WooFi previous incident
- Attacker repeatedly swaps SOL to USDC in smaller amounts to not trigger update to the spread while reducing the wooracle price for SOL-USDC. The swaps are done to ensuring the new price is low and is around the reported price from Pyth.
- As shown in the Pyth incident report's graph, the price is reported across a range repeatedly. The attacker can perform the swaps when the pyth price is favorable and wooracle price is in the bounds.
- Attacker sells USDC for SOL after manipulating price.
Attacker can steal the tokens using the attack.
Note the solana blocktime is in milliseconds, even the shortest time can be turned into a favorable outcome to the attacker.
Also because of presence of multiple instructions in transactions, the swaps with smaller amounts can be performed with minimal transaction costs.
reference: https://neodyme.io/en/blog/lending_disclosure/
The missing use of confidence interval might allow for price manipulation
No response
No response