Unbounded array size can result in stale price reported from oracle

[code423n4]

Lines of code

https://github.com/code-423n4/2022-11-paraspace/blob/6542d6e946762fc7a914a3f6f2e08fcbbf6c8a13/paraspace-core/contracts/misc/NFTFloorOracle.sol#L158

Vulnerability details

Proof of Concept

The addFeeder functionality in NFTFloorOracle pushes an address to the feeders array. Since a check for a maximum array size is missing, if too many feeders are added this can result in impossibility for a price update, since the setPrice functionality calls _combine which iterates over the feeders array. If the array is too big this iteration might cost too much, or even more than the max block gas limit, so price will be stale, until an admin calls removeFeeder which can take some time, plus if the attacker wants it to take more time he can do block stuffing attack on the remove transaction as well.

Severity

The impact of this issue is High because protocol will be running with a stale price, but the likelihood is low since it requires the owner to be compromised/malicious or to not be careful with adding too many feeders. This results in Medium severity.

Recommendation

Add a max array size and check if there are max number of feeders already when calling addFeeder

[JeffCX]

Unlikely to happen but yes, there is no upper bound for the feed array.

[JeffCX]

duplicate of https://github.com/code-423n4/2022-11-paraspace-findings/issues/368

[c4-judge]

dmvt changed the severity to QA (Quality Assurance)

[c4-judge]

dmvt marked the issue as grade-b