mirror of https://github.com/crytic/slither
parent
f25344c6a2
commit
7e54d41faa
@ -0,0 +1,52 @@ |
||||
from slither.detectors.abstract_detector import DetectorClassification |
||||
from slither.detectors.statements.pyth_unchecked import PythUnchecked |
||||
|
||||
|
||||
class PythUncheckedPublishTime(PythUnchecked): |
||||
""" |
||||
Documentation: This detector finds when the publishTime of a Pyth price is not checked |
||||
""" |
||||
|
||||
ARGUMENT = "pyth-unchecked-publishtime" |
||||
HELP = "Detect when the publishTime of a Pyth price is not checked" |
||||
IMPACT = DetectorClassification.MEDIUM |
||||
CONFIDENCE = DetectorClassification.HIGH |
||||
|
||||
WIKI = ( |
||||
"https://github.com/crytic/slither/wiki/Detector-Documentation#pyth-unchecked-publishtime" |
||||
) |
||||
WIKI_TITLE = "Pyth unchecked publishTime" |
||||
WIKI_DESCRIPTION = "Detect when the publishTime of a Pyth price is not checked" |
||||
WIKI_RECOMMENDATION = "Check the publishTime of a Pyth price." |
||||
|
||||
WIKI_EXPLOIT_SCENARIO = """ |
||||
```solidity |
||||
import "@pythnetwork/pyth-sdk-solidity/IPyth.sol"; |
||||
import "@pythnetwork/pyth-sdk-solidity/PythStructs.sol"; |
||||
|
||||
contract C { |
||||
IPyth pyth; |
||||
|
||||
constructor(IPyth _pyth) { |
||||
pyth = _pyth; |
||||
} |
||||
|
||||
function bad(bytes32 id) public { |
||||
PythStructs.Price memory price = pyth.getEmaPriceUnsafe(id); |
||||
// Use price |
||||
} |
||||
} |
||||
``` |
||||
The function `A` uses the price without checking its `publishTime` coming from the `getEmaPriceUnsafe` function. |
||||
""" |
||||
|
||||
PYTH_FUNCTIONS = [ |
||||
"getEmaPrice", |
||||
# "getEmaPriceNoOlderThan", |
||||
"getEmaPriceUnsafe", |
||||
"getPrice", |
||||
# "getPriceNoOlderThan", |
||||
"getPriceUnsafe", |
||||
] |
||||
|
||||
PYTH_FIELD = "publishTime" |
@ -0,0 +1,3 @@ |
||||
Pyth price publishTime field is not checked in C.bad(bytes32) (tests/e2e/detectors/test_data/pyth-unchecked-publishtime/0.8.20/pyth_unchecked_publishtime.sol#171-175) |
||||
- price = pyth.getEmaPriceUnsafe(id) (tests/e2e/detectors/test_data/pyth-unchecked-publishtime/0.8.20/pyth_unchecked_publishtime.sol#172) |
||||
|
@ -0,0 +1,193 @@ |
||||
contract PythStructs { |
||||
// A price with a degree of uncertainty, represented as a price +- a confidence interval. |
||||
// |
||||
// The confidence interval roughly corresponds to the standard error of a normal distribution. |
||||
// Both the price and confidence are stored in a fixed-point numeric representation, |
||||
// `x * (10^expo)`, where `expo` is the exponent. |
||||
// |
||||
// Please refer to the documentation at https://docs.pyth.network/consumers/best-practices for how |
||||
// to how this price safely. |
||||
struct Price { |
||||
// Price |
||||
int64 price; |
||||
// Confidence interval around the price |
||||
uint64 conf; |
||||
// Price exponent |
||||
int32 expo; |
||||
// Unix timestamp describing when the price was published |
||||
uint publishTime; |
||||
} |
||||
|
||||
// PriceFeed represents a current aggregate price from pyth publisher feeds. |
||||
struct PriceFeed { |
||||
// The price ID. |
||||
bytes32 id; |
||||
// Latest available price |
||||
Price price; |
||||
// Latest available exponentially-weighted moving average price |
||||
Price emaPrice; |
||||
} |
||||
} |
||||
|
||||
interface IPyth { |
||||
/// @notice Returns the period (in seconds) that a price feed is considered valid since its publish time |
||||
function getValidTimePeriod() external view returns (uint validTimePeriod); |
||||
|
||||
/// @notice Returns the price and confidence interval. |
||||
/// @dev Reverts if the price has not been updated within the last `getValidTimePeriod()` seconds. |
||||
/// @param id The Pyth Price Feed ID of which to fetch the price and confidence interval. |
||||
/// @return price - please read the documentation of PythStructs.Price to understand how to use this safely. |
||||
function getPrice( |
||||
bytes32 id |
||||
) external view returns (PythStructs.Price memory price); |
||||
|
||||
/// @notice Returns the exponentially-weighted moving average price and confidence interval. |
||||
/// @dev Reverts if the EMA price is not available. |
||||
/// @param id The Pyth Price Feed ID of which to fetch the EMA price and confidence interval. |
||||
/// @return price - please read the documentation of PythStructs.Price to understand how to use this safely. |
||||
function getEmaPrice( |
||||
bytes32 id |
||||
) external view returns (PythStructs.Price memory price); |
||||
|
||||
/// @notice Returns the price of a price feed without any sanity checks. |
||||
/// @dev This function returns the most recent price update in this contract without any recency checks. |
||||
/// This function is unsafe as the returned price update may be arbitrarily far in the past. |
||||
/// |
||||
/// Users of this function should check the `publishTime` in the price to ensure that the returned price is |
||||
/// sufficiently recent for their application. If you are considering using this function, it may be |
||||
/// safer / easier to use either `getPrice` or `getPriceNoOlderThan`. |
||||
/// @return price - please read the documentation of PythStructs.Price to understand how to use this safely. |
||||
function getPriceUnsafe( |
||||
bytes32 id |
||||
) external view returns (PythStructs.Price memory price); |
||||
|
||||
/// @notice Returns the price that is no older than `age` seconds of the current time. |
||||
/// @dev This function is a sanity-checked version of `getPriceUnsafe` which is useful in |
||||
/// applications that require a sufficiently-recent price. Reverts if the price wasn't updated sufficiently |
||||
/// recently. |
||||
/// @return price - please read the documentation of PythStructs.Price to understand how to use this safely. |
||||
function getPriceNoOlderThan( |
||||
bytes32 id, |
||||
uint age |
||||
) external view returns (PythStructs.Price memory price); |
||||
|
||||
/// @notice Returns the exponentially-weighted moving average price of a price feed without any sanity checks. |
||||
/// @dev This function returns the same price as `getEmaPrice` in the case where the price is available. |
||||
/// However, if the price is not recent this function returns the latest available price. |
||||
/// |
||||
/// The returned price can be from arbitrarily far in the past; this function makes no guarantees that |
||||
/// the returned price is recent or useful for any particular application. |
||||
/// |
||||
/// Users of this function should check the `publishTime` in the price to ensure that the returned price is |
||||
/// sufficiently recent for their application. If you are considering using this function, it may be |
||||
/// safer / easier to use either `getEmaPrice` or `getEmaPriceNoOlderThan`. |
||||
/// @return price - please read the documentation of PythStructs.Price to understand how to use this safely. |
||||
function getEmaPriceUnsafe( |
||||
bytes32 id |
||||
) external view returns (PythStructs.Price memory price); |
||||
|
||||
/// @notice Returns the exponentially-weighted moving average price that is no older than `age` seconds |
||||
/// of the current time. |
||||
/// @dev This function is a sanity-checked version of `getEmaPriceUnsafe` which is useful in |
||||
/// applications that require a sufficiently-recent price. Reverts if the price wasn't updated sufficiently |
||||
/// recently. |
||||
/// @return price - please read the documentation of PythStructs.Price to understand how to use this safely. |
||||
function getEmaPriceNoOlderThan( |
||||
bytes32 id, |
||||
uint age |
||||
) external view returns (PythStructs.Price memory price); |
||||
|
||||
/// @notice Update price feeds with given update messages. |
||||
/// This method requires the caller to pay a fee in wei; the required fee can be computed by calling |
||||
/// `getUpdateFee` with the length of the `updateData` array. |
||||
/// Prices will be updated if they are more recent than the current stored prices. |
||||
/// The call will succeed even if the update is not the most recent. |
||||
/// @dev Reverts if the transferred fee is not sufficient or the updateData is invalid. |
||||
/// @param updateData Array of price update data. |
||||
function updatePriceFeeds(bytes[] calldata updateData) external payable; |
||||
|
||||
/// @notice Wrapper around updatePriceFeeds that rejects fast if a price update is not necessary. A price update is |
||||
/// necessary if the current on-chain publishTime is older than the given publishTime. It relies solely on the |
||||
/// given `publishTimes` for the price feeds and does not read the actual price update publish time within `updateData`. |
||||
/// |
||||
/// This method requires the caller to pay a fee in wei; the required fee can be computed by calling |
||||
/// `getUpdateFee` with the length of the `updateData` array. |
||||
/// |
||||
/// `priceIds` and `publishTimes` are two arrays with the same size that correspond to senders known publishTime |
||||
/// of each priceId when calling this method. If all of price feeds within `priceIds` have updated and have |
||||
/// a newer or equal publish time than the given publish time, it will reject the transaction to save gas. |
||||
/// Otherwise, it calls updatePriceFeeds method to update the prices. |
||||
/// |
||||
/// @dev Reverts if update is not needed or the transferred fee is not sufficient or the updateData is invalid. |
||||
/// @param updateData Array of price update data. |
||||
/// @param priceIds Array of price ids. |
||||
/// @param publishTimes Array of publishTimes. `publishTimes[i]` corresponds to known `publishTime` of `priceIds[i]` |
||||
function updatePriceFeedsIfNecessary( |
||||
bytes[] calldata updateData, |
||||
bytes32[] calldata priceIds, |
||||
uint64[] calldata publishTimes |
||||
) external payable; |
||||
|
||||
/// @notice Returns the required fee to update an array of price updates. |
||||
/// @param updateData Array of price update data. |
||||
/// @return feeAmount The required fee in Wei. |
||||
function getUpdateFee( |
||||
bytes[] calldata updateData |
||||
) external view returns (uint feeAmount); |
||||
|
||||
/// @notice Parse `updateData` and return price feeds of the given `priceIds` if they are all published |
||||
/// within `minPublishTime` and `maxPublishTime`. |
||||
/// |
||||
/// You can use this method if you want to use a Pyth price at a fixed time and not the most recent price; |
||||
/// otherwise, please consider using `updatePriceFeeds`. This method does not store the price updates on-chain. |
||||
/// |
||||
/// This method requires the caller to pay a fee in wei; the required fee can be computed by calling |
||||
/// `getUpdateFee` with the length of the `updateData` array. |
||||
/// |
||||
/// |
||||
/// @dev Reverts if the transferred fee is not sufficient or the updateData is invalid or there is |
||||
/// no update for any of the given `priceIds` within the given time range. |
||||
/// @param updateData Array of price update data. |
||||
/// @param priceIds Array of price ids. |
||||
/// @param minPublishTime minimum acceptable publishTime for the given `priceIds`. |
||||
/// @param maxPublishTime maximum acceptable publishTime for the given `priceIds`. |
||||
/// @return priceFeeds Array of the price feeds corresponding to the given `priceIds` (with the same order). |
||||
function parsePriceFeedUpdates( |
||||
bytes[] calldata updateData, |
||||
bytes32[] calldata priceIds, |
||||
uint64 minPublishTime, |
||||
uint64 maxPublishTime |
||||
) external payable returns (PythStructs.PriceFeed[] memory priceFeeds); |
||||
} |
||||
|
||||
|
||||
contract C { |
||||
IPyth pyth; |
||||
|
||||
constructor(IPyth _pyth) { |
||||
pyth = _pyth; |
||||
} |
||||
|
||||
function bad(bytes32 id) public { |
||||
PythStructs.Price memory price = pyth.getEmaPriceUnsafe(id); |
||||
require(price.conf < 10000); |
||||
// Use price |
||||
} |
||||
|
||||
function good(bytes32 id) public { |
||||
PythStructs.Price memory price = pyth.getEmaPriceUnsafe(id); |
||||
require(price.publishTime > block.timestamp - 120); |
||||
require(price.conf < 10000); |
||||
// Use price |
||||
} |
||||
|
||||
function good2(bytes32 id) public { |
||||
PythStructs.Price memory price = pyth.getEmaPriceUnsafe(id); |
||||
require(price.conf < 10000); |
||||
if (price.publishTime <= block.timestamp - 120) { |
||||
revert(); |
||||
} |
||||
// Use price |
||||
} |
||||
|
||||
} |
Loading…
Reference in new issue