c4-judge
commented
1 year ago trust1995 marked the issue as satisfactory
Closed code423n4 closed 1 year ago
c4-judge
commented
1 year ago trust1995 marked the issue as satisfactory
c4-judge
commented
1 year ago trust1995 marked the issue as primary issue
c4-sponsor
commented
1 year ago wilsoncusack marked the issue as sponsor disputed
wilsoncusack
commented
1 year ago onERC721Received in PaprController would revert because no data is passed. https://github.com/with-backed/papr/blob/9528f2711ff0c1522076b9f93fba13f88d5bd5e6/src/NFTEDA/NFTEDA.sol#L91
c4-judge
commented
1 year ago trust1995 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/with-backed/papr/blob/9528f2711ff0c1522076b9f93fba13f88d5bd5e6/src/PaprController.sol#L279
Vulnerability details
Impact
This requires that an NFT is in auction.
When an operator calls
purchaseLiquidationAuctionNFTthe price variable is determined by a call to_purchaseNFTAndUpdateVaultIfNeededwhich calls_purchaseNFTwhich callssafeTransferFromon theauctionAssetContract. By setting thesendToparameter to thePaprControlleritself, the operator is able to trigger the onERC721Received function. The from parameter is the PaprController as well. When_addCollateralToVaultis called the from parameter is PaprController. Setting eitherrequest.swapParams.minOutorrequest.debtto a desired amount above zero will mint papr for the operator while the PaprController takes on the debt.Proof of Concept
Call purchaseLiquidationAuctionNFT _purchaseNFT sends the NFT to PaprController which triggers onERC721Received msg.sender is auctionAssetContract _addCollateralToVault uses controller as from. It has the NFT in question in its possession. Set request.debt to desired number _increaseDebt is called increasing the debt of the controller while minting papr for the operator.
Recommended Mitigation Steps
Require that the
fromparameter doesn’t equal the PaprController