Trail of Bits
Audit Open Original ↗

Pyth Entropy

Type

Security review

Client

Pyth Data Association

Date

2023-12

Domain

Blockchain

Effort

4 wks

Section

Ethereum/EVM

Trail of Bits's security review of Pyth Data Association (Dec 2023) identified 12 issues: 4 high, 1 medium, 3 low, and 4 informational.

Findings · 12

  1. 1 Deposited assets cannot be withdrawn High
  2. 2 Lack of contract existence check on low-level call Low
  3. 3 Lack of two-step process for critical operations Medium
  4. 4 Users can influence the Entropy revealed result High
  5. 5 Integrating protocols may be vulnerable to multiparty collusion attacks High
  6. 6 Lack of zero-value checks Low
  7. 7 Entropy providers may reveal seed before request is finalized High
  8. 8 Fortuna entropy seed does not bind provider identity Informational
  9. 9 Secrets appear in environment variables and command-line arguments Informational
  10. 10 Calls to the reveal function may succeed on inactive requests Informational
  11. 11 Insucient unit tests for Fortuna Informational
  12. 12 Provider may earn fees without disclosing entropy Low

Findings extracted from the published report PDF. See the full report below for details and remediation.

Related