11 matches found
Missing access control in NFTFloorOracle::removeFeeder
Lines of code Vulnerability details Proof of Concept THe removeFeeder method is lacking onlyRoleDEFAULTADMINROLE modifier, even though the NatSpec states “Allows owner to remove feeder”. Due to this, now everyone can remove a feeder anytime. Different types of attack can be executed, one of which...
NFTFloorOracle's asset and feeder structures can be corrupted
Lines of code Vulnerability details NFTFloorOracle's addAsset and addFeeder truncate the assets and feeders arrays indices to 255, both using uint8 index field in the corresponding structures and performing uint8assets.length - 1 truncation on the new element addition. 2^8 - 1 looks to be too tig...
Oracle will become invalid much faster than intended on non-mainnet chains
Lines of code Vulnerability details Description NFTFloorOracle is in charge of answering price queries for ERC721 assets. EXPIRATIONPERIOD constant is the max amount of blocks allowed to have passed for the reading to be considered up to date: uint256 diffBlock = currentBlock - priceInfo.updatedA...
Some arbitrary feeders will not be removable, even by admin.
Lines of code Vulnerability details Description NFTFloorOracle receives data from different "feeders". They are added using addFeeders and removed by removeFeeder. Feeders are managed by two data structures. feeders is an array, each element in the address of the feeder. feederPositionMap maps...
Fallback oracle is unusable when primary oracle is not updated
Lines of code Vulnerability details Description Paraspace implemented their own Oracle wrapper in ParaSpaceOracle.sol. The important function getAssetPrice is used by many logic functions like health check. function getAssetPriceaddress asset public view override returns uint256 if asset ==...
NFTFloorOracle price feeders can be removed by anyone
Lines of code Vulnerability details Impact The nfts price feeders in the NFTFloorOracle contract should be added or removed only by the admin but because the removeFeeder function is missing the onlyRoleDEFAULTADMINROLE modifier any user can remove a feeder, this could impact the whole protocol i...
Price can deviate by much more than maxDeviationRate
Lines of code Vulnerability details Description NFTFloorOracle retrieves ERC721 prices for ParaSpace. maxPriceDeviation is a configurable parameter, which limits the change percentage from current price to a new feed update. function checkValidityaddress asset, uint256 twap internal view returns...
NFTFloorOracle trust feeder without any fallback
Lines of code Vulnerability details Impact In the current design, NFTFloorOracle take the median of valid feeder price as the oracle price. This design can be dangerous if more than half as few as 2 of the feeders decided to collude and publish malicious prices. If they set the price higher, they...
Unsafe casting from uint256 to uint8 cause wrong index of asset and feeder in NFTFloorOracle
Lines of code Vulnerability details Impact In NFTFloorPrice, it has a set of feeders and a set of assets. Feeders will set price for assets. Of coursers, with the growing NFT space, number of assets collection could be much more than 256 and because Paraspace uses median price from keepers so...
Pausing assets only affects future price updates, not previous malicious updates.
Lines of code Vulnerability details Description NFTFloorOracle retrieves ERC721 prices for ParaSpace. It is pausable by admin on a per asset level using setPauseasset, flag. setPrice will not be callable when asset is paused: function setPriceaddress asset, uint256 twap public onlyRoleUPDATERROLE...
Anyone can remove feeders from NFTFloorOracle.
Lines of code Vulnerability details Impact There is no onlyRole modifier in removeFeeder, so anyone can remove feeders from NFTFloorOracle, and it will cause a DOS attack. Proof of Concept function removeFeederaddress feeder external onlyWhenFeederExistedfeeder //@audit no modifier...