search

code-423n4 / 2022-11-paraspace-findings

7 stars 4 forks source link

Victim cannot make use of UniswapV3 NTokens if victim keeps DOSing their balance #476

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-11-paraspace/blob/c6820a279c64a299a783955749fdc977de8f0449/paraspace-core/contracts/protocol/tokenization/libraries/MintableERC721Logic.sol#L402

Vulnerability details

Description

NTokens with balance limits, such as UniswapV3 NTokens, check that this balance limit is not reached when minting new tokens.

function _checkBalanceLimit(
    MintableERC721Data storage erc721Data,
    bool ATOMIC_PRICING,
    uint64 balance
) private view {
    if (ATOMIC_PRICING) {
        uint64 balanceLimit = erc721Data.balanceLimit;
        require(
            balanceLimit == 0 || balance <= balanceLimit,
            Errors.NTOKEN_BALANCE_EXCEEDED
        );
    }
}

The issue is that NTokens can be freely transferred, so attacker can easily fill the balance (30 by default) of victim's allocated NToken tokenIDs. UniswapV3 NTokens can be of any desired value, so user can mint them with negligible value. Therefore, attacker can continually fill up the balance of victim with useless tokens, which will cost a lot of gas for attack to keep getting rid of, in order to make use of these slots.

Impact

Victim cannot make use of UniswapV3 NTokens if victim keeps DOSing their balance

Tools Used

Manual audit

Recommended Mitigation Steps

Allow user to opt-out of receing NTokens when they have balance limits.

c4-judge commented 1 year ago

dmvt marked the issue as duplicate of #334

c4-judge commented 1 year ago

dmvt marked the issue as satisfactory