Platform: Code4rena
Start Date: 28/11/2022
Pot Size: $192,500 USDC
Total HM: 33
Participants: 106
Period: 11 days
Judge: LSDan
Total Solo HM: 15
Id: 186
League: ETH
Rank: 42/106
Findings: 2
Award: $289.21
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0xNazgul, Atarpara, Awesome, Aymen0909, BClabs, Kong, ali_shehab, bullseye, chaduke, csanuragjain, datapunk, fatherOfBlocks, hansfriese, kaliberpoziomka8552, nicobevi, pashov, pzeus, shark, unforgiven, web3er, xiaoming90
22.467 USDC - $22.47
In the NFTFloorOracle contract, the removeFeeder function is used to remove the Feeder role in the contract, and the addFeeders function is used to add the Feeder role in the contract. Only the DEFAULT_ADMIN_ROLE role can perform the addFeeders operation, but the removeFeeder function can be called by any user. This will lead to the risk of malicious removal of the Feeder role in the contract.
function removeFeeder(address _feeder) external onlyWhenFeederExisted(_feeder) { _removeFeeder(_feeder); }
N/A
It is recommended to add permission control to the removeFeeder function.
#0 - c4-sponsor
2022-12-06T03:54:47Z
yubo-ruan marked the issue as sponsor confirmed
#1 - c4-judge
2022-12-20T16:58:08Z
dmvt marked the issue as duplicate of #31
#2 - c4-judge
2023-01-09T14:15:07Z
dmvt marked the issue as partial-50
🌟 Selected for report: ladboy233
Also found by: Kong, Lambda, R2, __141345__, mahdikarimi
266.7397 USDC - $266.74
In the ParaSpaceFallbackOracle contract, the getAssetPrice function is used to obtain the price of the specified token. When the token is a non-ERC721 token, it will obtain the reserve amount of the pool through the getReserves function of the Pair contract, and calculate the price through the getAmountOut interface.
This is an extremely easy-to-manipulate price acquisition method. As long as malicious users use a large amount of funds to perform swap operations in the Pair, they can manipulate the price calculation results. And malicious users can use flash loans to reduce manipulation costs. Therefore, it is extremely dangerous to use this method to obtain prices.
The ParaSpaceFallbackOracle::getAssetPrice function is called by the getAssetPrice function of the ParaSpaceOracle contract. When assetsSources[asset] is 0, the ParaSpaceFallbackOracle::getAssetPrice call can be triggered. And ParaSpaceOracle::getAssetPrice is used in the validateBorrow, calculateUserAccountData, _calculateERC20LiquidationParameters operations of the protocol. These are the core functions to ensure the stable operation of the protocol. Once manipulated, it will cause losses to users' assets.
function getAssetPrice(address asset) public view returns (uint256) { ... address pairAddress = IUniswapV2Factory(UNISWAP_FACTORY).getPair( WETH, asset ); require(pairAddress != address(0x00), "pair not found"); IUniswapV2Pair pair = IUniswapV2Pair(pairAddress); (uint256 left, uint256 right, ) = pair.getReserves(); (uint256 tokenReserves, uint256 ethReserves) = (asset < WETH) ? (left, right) : (right, left); uint8 decimals = ERC20(asset).decimals(); //returns price in 18 decimals return IUniswapV2Router01(UNISWAP_ROUTER).getAmountOut( 10**decimals, tokenReserves, ethReserves ); }
function getAssetPrice(address asset) public view override returns (uint256) { ... if (price == 0 && address(_fallbackOracle) != address(0)) { price = _fallbackOracle.getAssetPrice(asset); } ... }
N/A
If the protocol needs to obtain prices from Uniswap v2 Pairs, a safe implementation is to use TWAP oracles. It uses a time-weighted approach to deal with short-term price manipulation. The following is the implementation reference of the TWAP oracle: https://github.com/Uniswap/v2-periphery/blob/master/contracts/examples/ExampleOracleSimple.sol
#0 - c4-sponsor
2022-12-06T01:53:32Z
yubo-ruan marked the issue as sponsor acknowledged
#1 - c4-judge
2022-12-20T17:52:23Z
dmvt marked the issue as duplicate of #50
#2 - c4-judge
2023-01-09T16:43:05Z
dmvt changed the severity to 2 (Med Risk)
#3 - c4-judge
2023-01-23T16:15:28Z
dmvt marked the issue as satisfactory