Platform: Code4rena
Start Date: 28/11/2022
Pot Size: $192,500 USDC
Total HM: 33
Participants: 106
Period: 11 days
Judge: LSDan
Total Solo HM: 15
Id: 186
League: ETH
Rank: 92/106
Findings: 2
Award: $50.56
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0xNazgul, Atarpara, Awesome, Aymen0909, BClabs, Kong, ali_shehab, bullseye, chaduke, csanuragjain, datapunk, fatherOfBlocks, hansfriese, kaliberpoziomka8552, nicobevi, pashov, pzeus, shark, unforgiven, web3er, xiaoming90
44.934 USDC - $44.93
This was probably just a typo since the function should have the onlyRole(DEFAULT_ADMIN_ROLE) modifier instead of onlyWhenFeederExisted() since _removeFeeder() already checks if the feeder exists. But if this remains unchanged, anyone has the power to remove feeders and can by doing so make the protocol's NFT price oracle unusable. A malicious actor could set up a bot that removes feeders, which would result in the price saved in the storage being outdated.
One example: Admin sets 3 feeders that feed prices of BAYC nft floor. The user supplies BAYC nft as collateral for a loan. The user sets a bot that removes all the feeders that get set when the price starts going down. By doing so, the user will never get liquidated, since his nfthealthfactor will always be above 1.
Manual review VS code
Replace onlyWhenFeederExisted(_feeder) with onlyRole(DEFAULT_ADMIN_ROLE)
#0 - c4-judge
2022-12-20T16:58:03Z
dmvt marked the issue as duplicate of #31
#1 - c4-judge
2023-01-09T14:10:32Z
dmvt changed the severity to 3 (High Risk)
#2 - c4-judge
2023-01-23T16:10:26Z
dmvt marked the issue as satisfactory