12 matches found
PaprController is vulnerable to reentrancy attacks
Lines of code Vulnerability details Impact Malicious users can steal PAPR tokens through reentrancy attacks. Proof of Concept Function PaprController.purchaseLiquidationAuctionNFT may trigger a reentrancy becase it calls ERC721.safeTransferFrom in NFTEDA.purchaseNFT:...
PaprController.removeCollateral() only takes the price of the first collateral to determine whether the NFTs can be withdrawn
Lines of code Vulnerability details Impact Unintended leniency of protocol will be taken advantage by users. Users can withdraw NFTs even if their debt of a particular NFT is higher than intended. Proof of Concept When a user wants to removeCollateral, he calls removeCollateral which loops each...
Operator can buy papr with PaprController as the debtor.
Lines of code Vulnerability details Impact This requires that an NFT is in auction. When an operator calls purchaseLiquidationAuctionNFT the price variable is determined by a call to purchaseNFTAndUpdateVaultIfNeeded which calls purchaseNFT which calls safeTransferFrom on the auctionAssetContract...
Initial value of auction starter discount is set wrong
Lines of code Vulnerability details Impact The protocol offers a discount for auction starters when purchasing the liquidated NFT as an incentive for users to start an auction. I believe the intended discount should be 10%, but is currently implemented at 90%. 90% is too massive a discount for th...
PaprController.onERC721Received() assigns collateral to operator's vault instead of the nft owner's one
Lines of code Vulnerability details Impact The collateral is assigned to the operator's vault because of a parameter mismatch. This impacts the ability of third parties to integrate the PaprController contract. You're not able to create an intermediary contract that adds collateral to a user's...
Collateral NFT deposited to a wrong address, when transferred directly to PaprController
Lines of code Vulnerability details Impact Users will lose collateral NFTs when they are transferred to PaprController by an approved address or an operator. Proof of Concept The PaprController allows users to deposit NFTs as collateral to borrow Papr tokens. One of the way of depositing is by...
attacker can create un collateralized debt by reentrancy attack during _removeCollateral() by removing all collaterals and liquidating the last one which would set debt to zero. unfair liquidation can happen with reentrancy too
Lines of code Vulnerability details Impact Function removeCollateral removes collateral from msg.senders vault and code allows for onReceive hook to sell and repay debt before the debt check. during the hook function user can call other function of the PaprController contract, it's possible for...
PaprController.sol: reservoir oracle price equal to 0 allows bypassing NFT liquidations
Lines of code Vulnerability details Impact When there is a reservoir oracle message with the price of the NFT equal to zero, the debt of a vault will be reset in the PaprController.purchaseLiquidationAuctionNFT function when a NFT is bought in an auction. So the borrower can now withdraw all othe...
PaprController should not pay the swap fee in buyAndReduceDebt
Lines of code Vulnerability details Impact The best case scenario is that the paprController doesn't have any underlying tokens, in which case, buyAndReduceDebt won't work when there is a swapFee. Otherwise, paprController ends up paying for the swapFee. Even if there isn't a swap fee, the user c...
Start an auction without an NFT
Lines of code Vulnerability details Impact Requires that the account being liquidated has more than one NFT in PaprController. When an operator calls purchaseLiquidationAuctionNFT the price variable is determined by a call to purchaseNFTAndUpdateVaultIfNeeded which calls purchaseNFT which calls...
There is no way to extract fees when someones wants to reduce a debt by paying with underlying tokens
Lines of code Vulnerability details Impact When a user is buying the debt of an account or its own debt, it either have the choice to use the reduceDebt function in order to pay with PAPR tokens, or by paying in underlying tokens can be USDC, WETH, .... A protocol that would choose to...
Faulty fee handling in buyAndReduceDebt
Lines of code Vulnerability details Impact When passing fee params to buyAndReduceDebt with swapFeeTo and swapFeeBips, the PaprController will try to send the underlying token on the following line: underlying.transferparams.swapFeeTo, amountIn params.swapFeeBips / BIPSONE; But in a normal state,...