Platform: Code4rena
Start Date: 28/11/2022
Pot Size: $192,500 USDC
Total HM: 33
Participants: 106
Period: 11 days
Judge: LSDan
Total Solo HM: 15
Id: 186
League: ETH
Rank: 63/106
Findings: 2
Award: $109.55
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x4non, 0x52, 0xAgro, 0xNazgul, 0xSmartContract, 0xackermann, 9svR6w, Awesome, Aymen0909, B2, BRONZEDISC, Bnke0x0, Deekshith99, Deivitto, Diana, Dravee, HE1M, Jeiwan, Kaiziron, KingNFT, Lambda, Mukund, PaludoX0, RaymondFam, Rolezn, Sathish9098, Secureverse, SmartSek, __141345__, ahmedov, ayeslick, brgltd, cccz, ch0bu, chrisdior4, cryptonue, cryptostellar5, csanuragjain, datapunk, delfin454000, erictee, gz627, gzeon, helios, i_got_hacked, ignacio, imare, jadezti, jayphbee, joestakey, kankodu, ksk2345, ladboy233, martin, nadin, nicobevi, oyc_109, pashov, pavankv, pedr02b2, pzeus, rbserver, ronnyx2017, rvierdiiev, shark, unforgiven, xiaoming90, yjrwkk
103.9175 USDC - $103.92
When updating oracle configs, there is no any validation on the parameters. If the parameters are set to inappropriate values, the system may be jeopardized.
If maxPriceDeviation is set to 50, which is valid but incorrect, any NFT price won't be updated since __checkValidity() will return false when setting NFT price.
Another parameter expirationPeriod, which is not validated as well, also has important impact on NFT price updating.
Manual audit.
Add necessary data validation logic, e.g. 100 < maxPriceDeviation < MAX_DEVIATION_RATE, MIN_EXPIRATION_PERIOD < expirationPeriod < MAX_EXPIRATION_PERIOD.
#0 - c4-judge
2023-01-09T22:40:21Z
dmvt changed the severity to QA (Quality Assurance)
#1 - c4-judge
2023-01-25T16:29:06Z
dmvt marked the issue as grade-b