There is nothing stopping DAO_ROLE from setting _newFloor to a really high/low value with malicious intent.
Proof of Concept
/// @notice Allows the DAO to bypass the floor oracle and override the NFT floor value
/// @param _newFloor The new floor
function overrideFloor(uint256 _newFloor) external onlyRole(DAO_ROLE) {
require(_newFloor > 0, "Invalid floor");
nftTypeValueETH[bytes32(0)] = _newFloor;
daoFloorOverride = true;
}
Recommendation
Consider adding upper and lower bounds relative to the current NFT floor price when setting _newFloor.
Lines of code
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/vaults/NFTVault.sol#L275-L281
Vulnerability details
Impact
There is nothing stopping
DAO_ROLE
from setting_newFloor
to a really high/low value with malicious intent.Proof of Concept
Recommendation
Consider adding upper and lower bounds relative to the current NFT floor price when setting
_newFloor
.Tools Used
Manual.