Pyth Lazer for Cardano

[matej-douro]

Summary

This is a big PR, merging Cardano work that was previously in a separate branch to main. There's more to do when it comes to SDK and building transactions off-chain, but contract itself should be in a place where the design is set and implemented.

How has this been tested?

• Current tests cover my changes
• Added new tests
• Manually tested the code

---

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
api-reference	Error		Mar 7, 2026 5:27am
component-library	Error		Mar 7, 2026 5:27am
developer-hub	Error		Mar 7, 2026 5:27am

4 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
entropy-explorer	Skipped		Mar 7, 2026 5:27am
insights	Skipped		Mar 7, 2026 5:27am
proposals	Skipped		Mar 7, 2026 5:27am
staking	Skipped		Mar 7, 2026 5:27am

[devin-ai-integration]

📝 Info: State NFT policy ID cannot be validated in spend handler (documented design limitation)

The state.spend function at state.ak:132-134 extracts the single non-ADA asset from the input and uses its policy ID to locate the output, but cannot verify the policy ID matches the expected minting script hash without creating a circular dependency. The code documents this limitation clearly at lines 127-131. Security relies on the fact that only the legitimate minting script can produce tokens with the correct policy ID (since the origin UTxO is consumed during minting). This is a known Cardano pattern for avoiding circular script references.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

📝 Info: get_updates intentionally skips signature verification

The get_updates function at lazer/contracts/cardano/lib/pyth.ak:26-39 calls message.parse_without_verification rather than message.parse_and_verify. This is intentional: it's an SDK helper for consumer contracts to read price updates from a transaction's redeemers after the pyth_price withdraw validator (lazer/contracts/cardano/validators/pyth_price.ak:15-33) has already verified each update's signature and signer trust. Duplicating verification on the consumer side would waste execution budget. The variable shadowing on line 35 (let message = message.parse_without_verification(message)) is valid Aiken — the module message is used for the function call, and the parameter message is used as the argument.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[matej-douro]

Moved shared logic to https://github.com/pyth-network/pyth-lazer-cardano repo - we can merge its PR first (pyth-network/pyth-lazer-cardano#1).

[devin-ai-integration]

📝 Info: Wormhole guardian set upgrade doesn't require owner NFT

In lazer/contracts/cardano/validators/wormhole_state.ak:36, the is_owner boolean from state.spend is discarded with _. This means anyone can submit a guardian set upgrade VAA. This is intentionally correct — guardian set upgrades are authenticated by the VAA itself (signed by the current guardian set quorum), and the contract at wormhole/governance.ak:31 enforces old.set_index + 1 == new.set_index. Not flagged as a bug because the security comes from VAA verification, not owner NFT.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

📝 Info: Pyth state initialized with empty withdraw_script

In lazer/contracts/cardano/sdk/js/src/transactions.ts:108, the initial Pyth state is created with withdraw_script: new Uint8Array() (empty bytes). This means no withdraw script is active at deployment time, so price verification via the zero-withdraw trick won't work until a governance action sets one. The is_active_withdraw_script function at lazer/contracts/cardano/validators/pyth_state.ak:26-35 would fail to match any credential against an empty hash. This appears intentional (deploy first, configure via governance), but operators should be aware that the contract is non-functional for price verification immediately after deployment.

---

Was this helpful? React with 👍 or 👎 to provide feedback.