Hi all,

I want to integrate Pyth with a new chain, with smart contract support in Python.

This is the flow of messages I gather should happen:

1. Get the price info off-chain, using Hermes for example (curl "https://hermes.pyth.network/v2/updates/price/latest?ids[]=ec7a775f46379b5e943c3526b1c8d54cd49749176b0b98e02dde68d1bd335c17&binary=true"). I’ll get the hexadecimal data.
2. Send the data to the on-chain contract;
3. On-chain contract has to validate the data;

The data validation process is the one which is unclear to me. I believe there are 2 validations:
a) Validate the VAA message comes from Wormhole;
b) Validate the payload data with oracle info. This would be a Pyth specific message?

Is that correct?

From the hexadecimal VAA data, how can I validate it? Probably there are some resources from Wormhole that you can point to?

After that, how do I decode and validate the Pyth specific data? I couldn’t find resources on the documentation website.

I can try to follow some of the existing integration codes (example: Stacks integration), but it would be much better if I could understand the data models and validation from your docs so no mistakes are made.

Any help is appreciated!

Hi,

Unfortunately we don’t have any documentation for the wire format. I recommend following the links below to get a better understanding:

• Pythnet SDK: This SDK has the wire formats for Pyth Update data. This test parses an actual update data.
• Hermes: This service constructs the Pyth update data from Pythnet prices and Wormhole proofs

Thanks! Will check it out.

@benji you are the best! Thanks for the detailed explanation.

Hey, following up here because I noticed some things were up with the analysis that Claude output. I’m still working on this to find a robust and complete solution. When I get there, I’ll be sure to share it here

Thanks @benji. Let me know if I can also help.

Code taken from the example explained above:

Example VAA hex (first 100 bytes)

vaa_hex = “504e41550100000003b801000000040d016ac12a9f…”

sig_count = vaa_bytes[5]

print(f"Signatures: {signature_count}") # 13 guardians signed

If you look at the data closely, the 6th byte (index 5 for 0 based indexing) in vaa_hex is 0 and it still calculated the number of guardians that have signed as 13.

I don’t think this analysis is 100% accurate.

Hi guys, deleted my earlier post as I wasn’t able to (or couldn’t figure out how to edit it)

I went back to the drawing board, and put together this repository that shows & documents exactly how to extract and verify a wormhole VAA.

One big gotcha I ran into, is that the Pyth VAA’s available from hermes v1 api, seemed to be signed by a different guardian set - any time I tried to recover an address from a signature, it wouldn’t match the v4 guardian set from wormhole. It’s also possible I wasn’t properly constructing the body to create the digest needed to recover the public key.

IN ANY CASE, here’s a repo showing exactly how to validate a wormhole VAA.

I’m working on parsing the Pyth Price update from the payload, will follow up when I get that figured out & have a working example & tests.

Dropping back in for a quick update.

I haven’t been able to validate a Pyth Hermes v1 VAA, or find some cryptographic link between one and a Wormhole VAA with the same emitter address & sequence number from WormholeScan.

Not really sure where to go from here.

@ali perhaps you could shed some light on what the correct approach is for verifying Pyth Hermes VAA signatures against the Wormhole Guardian Set Addresses ?

@benji

Please see my reply here. This will help you out to verify the messages.