pyth-network / pyth-sdk-rs Goto Github PK

Hello Pyth developers :)

The PR #77 from @ali-bahjati was a breaking change relative to 0.6, so I requested a release of 0.7. Thank you for that.

We noticed while reviewing the change on our code to update to 0.7, that there's a big change to PriceFeed (4f4f8c7#diff-a65a7eeb4bb0903ac59ac4c4d43a6829364bc0b9136830ccc155a59d1b2720c3L135-L176).

Question: It looks like the change would result in a breaking change in the data that we'd read on chain, is this correct, and should projects remain on the 0.6 branch until some point in the future if so?

Or are there imminent plans to deploy the change (or has it been deployed)?

Thanks

pub fn load_price_feed_from_account_info(
    price_account_info: &AccountInfo,
) -> Result<PriceFeed, PythError> {
    let data = price_account_info
        .try_borrow_data()
        .maperr(|| PythError::InvalidAccountData)?;
    let price_account = load_price_account(*data)?;

    Ok(price_account.to_price_feed(price_account_info.key))
}

we have this function but we are not checking if the price_account_info is actually owned by PYTH or not. When developers integrates this in their program then attacker can provide malicious account instead of real PYTH account. A malicious account which will give big amount of price or very much low amount of price which can be useful in stealing funds.

Instead of checking this from crate user's, it's good security practice to check it itself in our SDK code.

Steps to produce

1. solana-keygen new -o program_address.json
2. cd examples/sol-contract-anchor
3. anchor build
4. anchor deploy --program-keypair program_address.json --program-name sol-anchor-contract
5. npm i
6. anchor test

1. sol-anchor-contract
   Check loan to value ratio.:
   Error: AnchorError caused by account: pyth_loan_account. Error Code: PythError. Error Number: 6005. Error Message: Pyth has an internal error..

Based on this PR in pyth-client-rs

In pyth-sdk-solana, there is a function converting PythError to ProgramError defined in the solana_program crate. However, there is no conversion to Error defined in the anchor_lang crate, making it a bit difficult to handle error in contracts written with Anchor.

Ali suggested me opening an issue here for improvement.

Currently the sdk checks for stale prices based on Solana clock syscall and it can make testing using pyth hard. Add a feature flag to avoid it for testing purposes.

Terrain has some constraints on the structure of code but might be more familiar for people to use.

declare_id exposes ids publicly and it might be misleading for users. It is a practice in sdks that they include their contract ID and consumers often check with that. In Pyth usecase it is unlikely that a consumer do that because usually they initialize their contracts with correct price account key and check against that.

We can keep it as it is, or move out test contract, or make it mainnet/devnet id.

Hi - just wondering if we could get the timestamp of the price? Thank you!

This example requires updates in the code and new versions of dependencies.

1. cd examples/sol-contract
2. cargo build
   error
   no method named get_current_pricefound for structPriceFeed in the current scope
examples/sol-contract/src/processor.rs:87:33
let result1 = feed1.get_current_price().ok_or(ProgramError::Custom(3))?;

If I rollback to commit 'An example contract for solana (#72)' I can go one step further:

1. cd examples/sol-contract
2. cargo build
3. cd scripts
4. sh build.sh

error
error: failed to select a version for the requirement time = "^0.3"
candidate versions found which didn't match: 0.3.15, 0.3.14, 0.3.13,

I'm trying to install pyth-sdk-solana sdk into my rust project for fetching price off-chain.

All I did is just put the config into my Cargo.toml

pyth-sdk-solana = "=0.0.8" 

But I failed to build, when trying to run cargo build I got this error.

Do I need to install other dependencies manually ?

The solana example currently doesn't have any CI. So if it fails we do not get it.

Hello, the latest pyth-sdk-solana v0.7.2 only supports up to solana-program v0.15.

I saw that pyth-sdk v0.8.0 was updated to support solana 1.16. Is there work in progress to support solana 1.16?
There is some inconsistencies with borsch 0.9.3 and 0.10.3 that was causing issues

Hi - could you give an dummy example on how to construct AccountInfo for on-chain price consume? Thank you!

Can the version requirement for Solana dependencies be updated?

The current limit placed on Solana dependencies (that is 1.8.1, < 1.11) as can be seen here is outdated with newer version (that is 1.14.1) of solana-program, solana-client and solana-sdk now available.

I submitted a PR a few weeks ago to relax the solana versoin constraints (#81). I'd like to request a bump in the released crate so it can have that change.

4f4f8c7 was a breaking change, so I'm suggesting v0.7.0

I would like to suggest a feature request for Solana.

To the extent practicable, it would be great to supply a version range on solana-* dependencies (https://github.com/pyth-network/pyth-sdk-rs/blob/main/pyth-sdk-solana/Cargo.toml#L25-L26).

A lot of projects have been on 1.10 for a while, and with recent QOL changes to the network, there's more incentive for us to move to 1.11 and beyond.

For core libraries like Pyth, sometimes specifying a specific minor version can lead to us having to temporarily fork when there's dependency conflicts.

It could be better to instead supply a version range on the cargo file, with the last tested release set as the upper bound (e.g. solana-sdk = "<1.14".

If this is a reasonable solution, I can create a PR and test locally to find the right version to set as the maximum.

Thanks