New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Centralization risks in NFTFloorOracle #54
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-437
satisfactory
satisfies C4 submission criteria; eligible for awards
Comments
code423n4
added
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
labels
Dec 1, 2022
dmvt marked the issue as primary issue |
c4-judge
added
the
primary issue
Highest quality submission among a set of duplicates
label
Dec 20, 2022
This was referenced Dec 20, 2022
Closed
Closed
Closed
This was referenced Dec 20, 2022
dmvt marked the issue as satisfactory |
c4-judge
added
the
satisfactory
satisfies C4 submission criteria; eligible for awards
label
Jan 23, 2023
This was referenced Jan 25, 2023
C4-Staff
added
duplicate-437
and removed
primary issue
Highest quality submission among a set of duplicates
labels
Feb 1, 2023
captainmangoC4 marked issue #437 as primary and marked this issue as a duplicate of 437 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-437
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-11-paraspace/blob/c01a980e5d6e15b2993b912c3569ed8b5236ff33/paraspace-core/contracts/misc/NFTFloorOracle.sol#L202
Vulnerability details
Impact
Usually, prices are check for validity within
setPrice
. These validity checks make sure that the price does not deviate too much between updates, which is a good safeguard to have. However, when someone with theDEFAULT_ADMIN_ROLE
calls the function, the price is immediately finalized with the provided value:A malicious admin can therefore set arbitrarily high or low floor prices (even temporarily). This can be exploited to get undercollaterized loans (i.e., drain the protocol) or liquidate positions that would be healthy. The user therefore has to completely trust the admins, which is undesirable.
Proof Of Concept
Malicious admin Bob sets an extremely high floor price for an NFT that he owns and then takes out a loan with that NFT as collateral. Like that, Bob can completely drain the protocol.
Recommended Mitigation Steps
Also perform sanity checks for updates that are performed by an admin or use some other mechanism (e.g., a voting scheme) for these updates.
The text was updated successfully, but these errors were encountered: