Platform: Code4rena
Start Date: 28/11/2022
Pot Size: $192,500 USDC
Total HM: 33
Participants: 106
Period: 11 days
Judge: LSDan
Total Solo HM: 15
Id: 186
League: ETH
Rank: 91/106
Findings: 2
Award: $54.08
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0xNazgul, Atarpara, Awesome, Aymen0909, BClabs, Kong, ali_shehab, bullseye, chaduke, csanuragjain, datapunk, fatherOfBlocks, hansfriese, kaliberpoziomka8552, nicobevi, pashov, pzeus, shark, unforgiven, web3er, xiaoming90
44.934 USDC - $44.93
There is no onlyRole modifier in removeFeeder, so anyone can remove feeders from NFTFloorOracle, and it will cause a DOS attack.
function removeFeeder(address _feeder) external onlyWhenFeederExisted(_feeder) //@audit no modifier { _removeFeeder(_feeder); }
There is onlyRole modifier in addFeeders, so only default admin can add feeders.
But there is no onlyRole modifier in removeFeeder, so anyone can remove feeders from NFTFloorOracle.
If the number of feeders are less than MIN_ORACLES_NUM, _combine will return false for dataValidity, and we can't set price using _finalizePrice in setPrice. So it can induce a DOS attack.
Manual Review
Add onlyRole modifier in removeFeeder.
#0 - c4-judge
2022-12-20T16:59:15Z
dmvt marked the issue as duplicate of #31
#1 - c4-judge
2023-01-23T15:59:55Z
dmvt marked the issue as satisfactory
🌟 Selected for report: IllIllI
Also found by: 0x52, 0xNazgul, Franfran, IllIllI, Jeiwan, Lambda, RaymondFam, Rolezn, Trust, __141345__, codecustard, erictee, gzeon, hansfriese, imare, rbserver, rvierdiiev, seyni, skinz, ujamal_
9.1532 USDC - $9.15
When we get asset price from ParaSpaceOracle.getAssetPrice, it can return stale price due to an error.
if (address(source) != address(0)) { price = uint256(source.latestAnswer()); //@audit wrong conversion } if (price == 0 && address(_fallbackOracle) != address(0)) { price = _fallbackOracle.getAssetPrice(asset); }
When source.latestAnswer returns negative value for stale price, price will be positive after it is converted to uint256.
So we can't try fallback oracle in the next if statement, and ParaSpaceOracle.getAssetPrice will return stale price.
Manual Review
Check price before it is converted to uint256.
#0 - JeffCX
2022-12-18T03:26:05Z
#1 - JeffCX
2022-12-18T03:33:44Z
The warden not only talks about the stale price of the latestAnswer, but also talks about the casting issue.
I believe in the case of the token price, it is very unlikely the token price will be negative.
the casting issue part duplicates https://github.com/code-423n4/2022-11-paraspace-findings/issues/48
#2 - c4-judge
2022-12-20T17:45:59Z
dmvt marked the issue as duplicate of #5
#3 - c4-judge
2023-01-23T15:50:55Z
dmvt marked the issue as partial-50