Platform: Code4rena
Start Date: 28/11/2022
Pot Size: $192,500 USDC
Total HM: 33
Participants: 106
Period: 11 days
Judge: LSDan
Total Solo HM: 15
Id: 186
League: ETH
Rank: 51/106
Findings: 2
Award: $148.85
π Selected for report: 0
π Solo Findings: 0
π Selected for report: IllIllI
Also found by: 0xNazgul, Atarpara, Awesome, Aymen0909, BClabs, Kong, ali_shehab, bullseye, chaduke, csanuragjain, datapunk, fatherOfBlocks, hansfriese, kaliberpoziomka8552, nicobevi, pashov, pzeus, shark, unforgiven, web3er, xiaoming90
44.934 USDC - $44.93
According to this comment, removeFeeder() is intended to be called only by the owner to remove the feeder.
However, because it is missing the modifier onlyRole() and since removeFeeder() is also external anyone can make a call to removeFeeder() and remove its feeder.
The owner may try to add feeders back by calling addFeeders(), but a malicious user can continuously call removeFeeder() to remove the feeder every time the owner adds the feeder back.
Depending on the price feed information and updates, this can disrupt the protocol on all function calls.
misc/NFTFloorOracle.sol#L165-L172
/// @notice Allows owner to remove feeder. /// @param _feeder feeder to remove function removeFeeder(address _feeder) external onlyWhenFeederExisted(_feeder) { _removeFeeder(_feeder); }
As we can see, removeFeeder() does not have an onlyRole() modifier to verify if the person calling is the owner.
Add the modifier onlyRole() to the removeFeeder() function
#0 - JeffCX
2022-12-18T04:03:12Z
#1 - c4-judge
2022-12-20T16:58:55Z
dmvt marked the issue as duplicate of #31
#2 - c4-judge
2023-01-09T14:10:54Z
dmvt changed the severity to 3 (High Risk)
#3 - c4-judge
2023-01-23T16:00:33Z
dmvt marked the issue as satisfactory
π Selected for report: IllIllI
Also found by: 0x4non, 0x52, 0xAgro, 0xNazgul, 0xSmartContract, 0xackermann, 9svR6w, Awesome, Aymen0909, B2, BRONZEDISC, Bnke0x0, Deekshith99, Deivitto, Diana, Dravee, HE1M, Jeiwan, Kaiziron, KingNFT, Lambda, Mukund, PaludoX0, RaymondFam, Rolezn, Sathish9098, Secureverse, SmartSek, __141345__, ahmedov, ayeslick, brgltd, cccz, ch0bu, chrisdior4, cryptonue, cryptostellar5, csanuragjain, datapunk, delfin454000, erictee, gz627, gzeon, helios, i_got_hacked, ignacio, imare, jadezti, jayphbee, joestakey, kankodu, ksk2345, ladboy233, martin, nadin, nicobevi, oyc_109, pashov, pavankv, pedr02b2, pzeus, rbserver, ronnyx2017, rvierdiiev, shark, unforgiven, xiaoming90, yjrwkk
103.9175 USDC - $103.92
Usually, lines in source code are limited to 80 characters.
It's advised to keep lines lower than 120 characters.
Todayβs screens are much larger so itβs reasonable to stretch this in some cases.
Since the files will most likely reside in GitHub, and GitHub starts using a scroll bar in all cases when the length is over 164 characters, the lines below should be split when they reach that length
There is 1 instance of this issue
Line 104: //userDebt from liquadationReserve
Line 53: /// aggeregate prices which are not expired from different feeders, if number of valid/unexpired prices Line 54: /// not enough, we do not aggeregate and just use previous price Line 412: //aggeregate with price from all feeders
Line 14: * @param hash the hash containing the signed mesage Line 15: * @param v parameter (27 or 28). This prevents maleability since the public key recovery equation has two possible solutions. Line 43: * @param hash the hash containing the signed mesage Line 48: * @param domainSeparator paramer to prevent signature being executed in other chains and environments
Suggested changes:
liquadationReserve => liquidationReserveaggeregate => aggregatemesage => messagemaleability => malleabilityparamer => parameter#0 - c4-judge
2023-01-25T17:04:04Z
dmvt marked the issue as grade-b