Centralization risks in NFTFloorOracle

[code423n4]

Lines of code

https://github.com/code-423n4/2022-11-paraspace/blob/c01a980e5d6e15b2993b912c3569ed8b5236ff33/paraspace-core/contracts/misc/NFTFloorOracle.sol#L202

Vulnerability details

Impact

Usually, prices are check for validity within setPrice. These validity checks make sure that the price does not deviate too much between updates, which is a good safeguard to have. However, when someone with the DEFAULT_ADMIN_ROLE calls the function, the price is immediately finalized with the provided value:

        if (hasRole(DEFAULT_ADMIN_ROLE, msg.sender)) {
            _finalizePrice(_asset, _twap);
            return;
        }

A malicious admin can therefore set arbitrarily high or low floor prices (even temporarily). This can be exploited to get undercollaterized loans (i.e., drain the protocol) or liquidate positions that would be healthy. The user therefore has to completely trust the admins, which is undesirable.

Proof Of Concept

Malicious admin Bob sets an extremely high floor price for an NFT that he owns and then takes out a loan with that NFT as collateral. Like that, Bob can completely drain the protocol.

Recommended Mitigation Steps

Also perform sanity checks for updates that are performed by an admin or use some other mechanism (e.g., a voting scheme) for these updates.

[c4-judge]

dmvt marked the issue as primary issue

[c4-judge]

dmvt marked the issue as satisfactory

[C4-Staff]

captainmangoC4 marked issue #437 as primary and marked this issue as a duplicate of 437