The issue is that NTokens can be freely transferred, so attacker can easily fill the balance (30 by default) of victim's allocated NToken tokenIDs. UniswapV3 NTokens can be of any desired value, so user can mint them with negligible value. Therefore, attacker can continually fill up the balance of victim with useless tokens, which will cost a lot of gas for attack to keep getting rid of, in order to make use of these slots.
Impact
Victim cannot make use of UniswapV3 NTokens if victim keeps DOSing their balance
Tools Used
Manual audit
Recommended Mitigation Steps
Allow user to opt-out of receing NTokens when they have balance limits.
Lines of code
https://github.com/code-423n4/2022-11-paraspace/blob/c6820a279c64a299a783955749fdc977de8f0449/paraspace-core/contracts/protocol/tokenization/libraries/MintableERC721Logic.sol#L402
Vulnerability details
Description
NTokens with balance limits, such as UniswapV3 NTokens, check that this balance limit is not reached when minting new tokens.
The issue is that NTokens can be freely transferred, so attacker can easily fill the balance (30 by default) of victim's allocated NToken tokenIDs. UniswapV3 NTokens can be of any desired value, so user can mint them with negligible value. Therefore, attacker can continually fill up the balance of victim with useless tokens, which will cost a lot of gas for attack to keep getting rid of, in order to make use of these slots.
Impact
Victim cannot make use of UniswapV3 NTokens if victim keeps DOSing their balance
Tools Used
Manual audit
Recommended Mitigation Steps
Allow user to opt-out of receing NTokens when they have balance limits.