The executeAirdrop function allow pool admin to execute arbitrary call to arbitrary contract, including a transferFrom call to the underlying NFT contract. This can be used by the pool admin to steal NFT inside the NToken contracts.
Since the rescueERC721 have a check to make sure the target is not _underlyingAsset, it seems like executeAirdrop should have the same check.
Lines of code
https://github.com/code-423n4/2022-11-paraspace/blob/c6820a279c64a299a783955749fdc977de8f0449/paraspace-core/contracts/protocol/tokenization/NToken.sol#L168-L186
Vulnerability details
Impact
The
executeAirdrop
function allow pool admin to execute arbitrary call to arbitrary contract, including atransferFrom
call to the underlying NFT contract. This can be used by the pool admin to steal NFT inside the NToken contracts.Since the
rescueERC721
have a check to make sure the target is not _underlyingAsset, it seems likeexecuteAirdrop
should have the same check.https://github.com/code-423n4/2022-11-paraspace/blob/c6820a279c64a299a783955749fdc977de8f0449/paraspace-core/contracts/protocol/tokenization/NToken.sol#L141-L144
Proof of Concept
https://github.com/code-423n4/2022-11-paraspace/blob/c6820a279c64a299a783955749fdc977de8f0449/paraspace-core/contracts/protocol/tokenization/NToken.sol#L168-L186
Recommended Mitigation Steps