There is no onlyRole modifier in removeFeeder, so anyone can remove feeders from NFTFloorOracle, and it will cause a DOS attack.
Proof of Concept
function removeFeeder(address _feeder)
external
onlyWhenFeederExisted(_feeder) //@audit no modifier
{
_removeFeeder(_feeder);
}
There is onlyRole modifier in addFeeders, so only default admin can add feeders.
But there is no onlyRole modifier in removeFeeder, so anyone can remove feeders from NFTFloorOracle.
If the number of feeders are less than MIN_ORACLES_NUM, _combine will return false for dataValidity, and we can't set price using _finalizePrice in setPrice. So it can induce a DOS attack.
Lines of code
https://github.com/code-423n4/2022-11-paraspace/blob/c6820a279c64a299a783955749fdc977de8f0449/paraspace-core/contracts/misc/NFTFloorOracle.sol#L167-L172
Vulnerability details
Impact
There is no
onlyRole
modifier inremoveFeeder
, so anyone can remove feeders fromNFTFloorOracle
, and it will cause a DOS attack.Proof of Concept
There is
onlyRole
modifier inaddFeeders
, so only default admin can add feeders. But there is noonlyRole
modifier inremoveFeeder
, so anyone can remove feeders fromNFTFloorOracle
. If the number of feeders are less thanMIN_ORACLES_NUM
,_combine
will returnfalse
fordataValidity
, and we can't set price using_finalizePrice
insetPrice
. So it can induce a DOS attack.Tools Used
Manual Review
Recommended Mitigation Steps
Add
onlyRole
modifier inremoveFeeder
.