When a Moonbird NFT is nested, the transfer function is disabled. Thus, the usual ERC721's transfer, transferFrom and safeTransferFrom function will not work for a Nested Moonbird NFT.
Specifically, MoonBirds has a nesting functionality which disables the the function safeTransferFrom . additionally, it has a nesting toggle and nesting information that holders would like to have access to after supplying the token to Paraspace. In order to support the transferring of the token while nesting the “owner (not approved operators)” of the token can call a custom function called safeTransferWhileNesting
The flash claim feature relies on the ERC721's transfer, transferFrom, and safeTransferFrom functions. Thus, if the users attempt to perform a flash claim against his Nested MoonBird NFT, the function will revert.
Proof of Concept
The flash claim feature relies on the FlashClaimLogic.executeFlashClaim function. Within the FlashClaimLogic.executeFlashClaim function, it relies on ERC721's safeTransferFrom function to move underlying NFT forward to and backward from receiver contract. Since Nested MoonBird NFT disable the usual ERC721's transfer functionaility, the function will revert.
Users will not be able to use the flash-claim feature to claim their nested MoonBird NFT. If the users need to flash-claim their nested MoonBird NFT to claim any rewards or airdrop, they will not be able to do so.
Recommended Mitigation Steps
Considering implement a seperate flash-claim feature for nested MoonBird NFT that depends on safeTransferWhileNesting function instead of safeTransferFrom function
Lines of code
https://github.com/code-423n4/2022-11-paraspace/blob/c6820a279c64a299a783955749fdc977de8f0449/paraspace-core/contracts/protocol/libraries/logic/FlashClaimLogic.sol#L28
Vulnerability details
Background
When a Moonbird NFT is nested, the transfer function is disabled. Thus, the usual ERC721's
transfer
,transferFrom
andsafeTransferFrom
function will not work for a Nested Moonbird NFT.The following is extracted directly from ParaSpace's Audit Technical documentation.
The flash claim feature relies on the ERC721's
transfer
,transferFrom
, andsafeTransferFrom
functions. Thus, if the users attempt to perform a flash claim against his Nested MoonBird NFT, the function will revert.Proof of Concept
The flash claim feature relies on the
FlashClaimLogic.executeFlashClaim
function. Within theFlashClaimLogic.executeFlashClaim
function, it relies on ERC721'ssafeTransferFrom
function to move underlying NFT forward to and backward from receiver contract. Since Nested MoonBird NFT disable the usual ERC721's transfer functionaility, the function will revert.https://github.com/code-423n4/2022-11-paraspace/blob/c6820a279c64a299a783955749fdc977de8f0449/paraspace-core/contracts/protocol/libraries/logic/FlashClaimLogic.sol#L28
Impact
Users will not be able to use the flash-claim feature to claim their nested MoonBird NFT. If the users need to flash-claim their nested MoonBird NFT to claim any rewards or airdrop, they will not be able to do so.
Recommended Mitigation Steps
Considering implement a seperate flash-claim feature for nested MoonBird NFT that depends on
safeTransferWhileNesting
function instead ofsafeTransferFrom
function