The addFeeder functionality in NFTFloorOracle pushes an address to the feeders array. Since a check for a maximum array size is missing, if too many feeders are added this can result in impossibility for a price update, since the setPrice functionality calls _combine which iterates over the feeders array. If the array is too big this iteration might cost too much, or even more than the max block gas limit, so price will be stale, until an admin calls removeFeeder which can take some time, plus if the attacker wants it to take more time he can do block stuffing attack on the remove transaction as well.
Severity
The impact of this issue is High because protocol will be running with a stale price, but the likelihood is low since it requires the owner to be compromised/malicious or to not be careful with adding too many feeders. This results in Medium severity.
Recommendation
Add a max array size and check if there are max number of feeders already when calling addFeeder
Lines of code
https://github.com/code-423n4/2022-11-paraspace/blob/6542d6e946762fc7a914a3f6f2e08fcbbf6c8a13/paraspace-core/contracts/misc/NFTFloorOracle.sol#L158
Vulnerability details
Proof of Concept
The
addFeeder
functionality inNFTFloorOracle
pushes an address to thefeeders
array. Since a check for a maximum array size is missing, if too many feeders are added this can result in impossibility for a price update, since thesetPrice
functionality calls_combine
which iterates over thefeeders
array. If the array is too big this iteration might cost too much, or even more than the max block gas limit, so price will be stale, until an admin callsremoveFeeder
which can take some time, plus if the attacker wants it to take more time he can do block stuffing attack on the remove transaction as well.Severity
The impact of this issue is High because protocol will be running with a stale price, but the likelihood is low since it requires the owner to be compromised/malicious or to not be careful with adding too many
feeders
. This results in Medium severity.Recommendation
Add a max array size and check if there are max number of
feeders
already when callingaddFeeder