Anyone can prevent themselves from being liquidated as long as they hold one of the supported NFTs

Lines of code Vulnerability details Contrary to what the function comments say, removeFeeder is able to be called by anyone, not just the owner. By removing all feeders i.e. floor twap price oracle keepers, a malicious user can cause all queries for the price of NFTs reliant on the NFTFloorOracle...

Attacker can drain pool using executeBuyWithCredit with malicious marketplace payload.

Lines of code Vulnerability details Description Paraspace supports leveraged purchases of NFTs through PoolMarketplace entry points. User calls buyWithCredit with marketplace, calldata to be sent to marketplace, and how many tokens to borrow. function buyWithCredit bytes32 marketplaceId, bytes...

Some arbitrary feeders will not be removable, even by admin.

Lines of code Vulnerability details Description NFTFloorOracle receives data from different "feeders". They are added using addFeeders and removed by removeFeeder. Feeders are managed by two data structures. feeders is an array, each element in the address of the feeder. feederPositionMap maps...

UniswapV3 tokens of certain pairs will be wrongly valued, leading to liquidations.

Lines of code Vulnerability details Description UniswapV3OracleWrapper is responsible for price feed of UniswapV3 NFT tokens. Its getTokenPrice is used by the health check calculation in GenericLogic. getTokenPrice gets price from the oracle and then uses it to calculate value of its liquidity...

double user token spending in function executeBuyWithCredit() contract transfer user wETH fund for wETH orders even when user send payment as ETH to contract and contract converted it to wETH (_depositETH() and _delegateToPool() takes user funds when user sends ETH and tries to buy WETH order)

Lines of code Vulnerability details Impact when user wants to buy NFT tokens with wETH asset, and he/she sent ETH to executeBuyWithCredit or executeBatchBuyWithCredit, code would take user tokens two times, one as ETH token in depositETH and one as wETH tokens in delegateToPool so users would pay...

suppliers funds loss because attacker can transfer his collateralized tokens when health factor is below liquidation threshold by reentrancy attack during executeLiquidateERC20() logic and transferring collateralize

Lines of code Vulnerability details Impact Function executeLiquidateERC20 is for liquidating a position if its Health Factor drops below 1. The caller liquidator covers liquidationAmount amount of debt of the user getting liquidated, and receives a proportional amount of the collateralAsset plus ...

NFTFloorOracle price feeders can be removed by anyone

Lines of code Vulnerability details Impact The nfts price feeders in the NFTFloorOracle contract should be added or removed only by the admin but because the removeFeeder function is missing the onlyRoleDEFAULTADMINROLE modifier any user can remove a feeder, this could impact the whole protocol i...

PoolApeStaking#withdrawApeCoin compares health factor to incorrect value and allows user to take out large loans that expected

Lines of code Vulnerability details Impact BAYC, MAYC and BAKC can be leveraged past max LTV and up to the liquidation factor Proof of Concept function withdrawApeCoin address nftAsset, ApeCoinStaking.SingleNft calldata nfts external nonReentrant DataTypes.PoolStorage storage ps = poolStorage;...

Missing access control in NFTFloorOracle::removeFeeder

Lines of code Vulnerability details Proof of Concept THe removeFeeder method is lacking onlyRoleDEFAULTADMINROLE modifier, even though the NatSpec states “Allows owner to remove feeder”. Due to this, now everyone can remove a feeder anytime. Different types of attack can be executed, one of which...

Anyone can remove feeders from NFTFloorOracle.

Lines of code Vulnerability details Impact There is no onlyRole modifier in removeFeeder, so anyone can remove feeders from NFTFloorOracle, and it will cause a DOS attack. Proof of Concept function removeFeederaddress feeder external onlyWhenFeederExistedfeeder //@audit no modifier...

Attacker can manipulate low TVL Uniswap V3 pool to borrow and swap to make Lending Pool in loss.

Lines of code Vulnerability details Impact In Paraspace protocol, any Uniswap V3 position that are consist of ERC20 tokens that Paraspace support can be used as collateral to borrow funds from Paraspace pool. The value of the Uniswap V3 position will be sum of value of ERC20 tokens in it. functio...

[NAZ-H2] Update Initializer Modifier To Prevent Reentrancy During Initialization

Lines of code Vulnerability details Impact Currently the project uses both : "@openzeppelin/contracts": "4.2.0", "@openzeppelin/contracts-upgradeable": "4.2.0". This dependency has a known high severity vulnerability Deserialization of Untrusted Data Proof of Concept Because of the Deserializatio...

[NAZ-H1] Anyone Can Call removeFeeder()

Lines of code Vulnerability details Impact Currently anyone can call removeFeeder which can cause an ample amount of issues across the protocol. It is also stated in the NatSpec: Allows owner to remove feeder. Proof of Concept Anyone can remove a feeder and only the admin should be able to remove...

MarketplaceLogic.sol doesn't support ERC20 Tokens with fee on transfer

Lines of code Vulnerability details MarketplaceLogic.sol doesn't support ERC20 Tokens with fee on transfer Summary There are ERC20 tokens with transfer at fees. For checking if the transferred amount is the same as expected, code already compares balanceOf before and balanceOf after transfer...

Fallback oracle is unusable when primary oracle is not updated

Lines of code Vulnerability details Description Paraspace implemented their own Oracle wrapper in ParaSpaceOracle.sol. The important function getAssetPrice is used by many logic functions like health check. function getAssetPriceaddress asset public view override returns uint256 if asset ==...

Price can deviate by much more than maxDeviationRate

Lines of code Vulnerability details Description NFTFloorOracle retrieves ERC721 prices for ParaSpace. maxPriceDeviation is a configurable parameter, which limits the change percentage from current price to a new feed update. function checkValidityaddress asset, uint256 twap internal view returns...

Asset removal leaks previous asset prices which will be used again when asset is re-added.

Lines of code Vulnerability details Description NFTFloorOracle retrieves ERC721 prices for ParaSpace. Recordings of prices are managed in assetFeederMap, mapping between address and FeederRegistrar: struct FeederRegistrar // if asset registered or not bool registered; // index in asset list uint8...

PoolAdmin can steal NFT from NTokens

Lines of code Vulnerability details Impact The executeAirdrop function allow pool admin to execute arbitrary call to arbitrary contract, including a transferFrom call to the underlying NFT contract. This can be used by the pool admin to steal NFT inside the NToken contracts. Since the rescueERC72...

Rewards are not accounted for properly in NTokenApeStaking contracts, limiting user's collateral.

Lines of code Vulnerability details Description ApeStakingLogic.sol implements the logic for staking ape coins through the NTokenApeStaking NFT. getTokenIdStakingAmount is an important function which returns the entire stake amount mapping for a specific BAYC / MAYC NFT. function...

Dutch auction getPrice() formula can lead to price reaching 0 and eventually reverting and locking the function.

Lines of code Vulnerability details Impact In the function getPrice the current price is calculated by taking the start price and subtracting the product of dropPersecond and time elapsed. start price - dropPreSecond timeElapsed. The issue with this is that given the right inputs for dropPerSecon...

The LPDA will fail, because the Arithmetic underflow

Lines of code Vulnerability details Impact The LPDA will fail to buy mint new NFTs even if block.timestamp = temp.startTime , block.timestamp = temp.endTime and newId sale.dropPerSecond sale.endTime - sale.startTime, "INVALID DROP PER SECOND"; --- The text was updated successfully, but th...

LPDA price is not calculated correctly such that it won't end at the final price as expected

Lines of code Vulnerability details Impact LPDA price is not calculated correctly such that it won't end at the final price as expected Proof of Concept function getPrice public view returns uint256 Sale memory temp = sale; uint256 start, uint256 end = temp.startTime, temp.endTime; if...

LPDA can be initialized with parameters that will revert getPrice()

Lines of code Vulnerability details Impact LPDA Sales can start reverting the buy and refund functions at some point of time if initialized with incorrect parameters revert happens at getPrice function. Users might not be able to withdraw their excess balance using refund function if getPrice...

Denial of Service on the LPDA.sol contract due to incorrect validation of parameters.

Lines of code Vulnerability details Impact The impact is that the contract will be on Denial Of Service, not allowing anyone to get ether out, neither the creator or people via refund. Proof of Concept The functions buyuint256 amount and refund of the LPDA.sol contract both call the function...

LPDA sale getPrice() will be broken after time because of overflow calculation

Lines of code Vulnerability details Impact LPDA sale is stand for “Last Price Dutch Auction”, which means price will drop every second from startPrice. After all NFTs are saled, it will recorded the finalPrice at the time the sale finished with the formula startPrice - dropPerSecond timeElapsed...

Funds reserved for refunding users can be steal in LPDA sale

Lines of code Vulnerability details Impact LPDA sale works like a Dutch Auction, where early buyers will get refund after the sale ended. In addition, in buy function, when last NFT is saled, it is automatically ending the LPDA sale and send payments to sale receiver, fee to fee receiver. And the...

wrong configuration can lock eth in LPDA contract forever

Lines of code Vulnerability details When creating an LPDA auction there are some sanity checks of the values used for the auction. But there is no check that the auction will not cause the price calculation to underflow after a while. This calculation of the price can underflow in getPrice in...

Malicious feeReceiver or saleReceiver can steal the user's refund ETH by calling the buy function multiple times in LPDA

Lines of code Vulnerability details Impact In the LPDA contract, the fee is transfered to feeReceiver and the totalSale to saleReceiver when newId == temp.finalId, meaning that the amount of tokens that were minted has been reached. However, the call to the internal end function only emits an eve...

In Escher721Factory.createContract any address can be provided as _uri for cloning

Lines of code Vulnerability details Impact The Escher721Factory.createContract function accepts any address as the uri parameter. This parameter is used to clone the uri contract, the address of the new clone is then passed to the Escher721.initialize function. The contract should verify the...

If very few NFTs have been sold saleReceiver will have to buy all remaining NFT to retrieve the contract funds.

Lines of code Vulnerability details Impact If very few NFTs have been sold saleReceiver will have to buy all remaining NFTs if he want to get the funds that he obtained during the mint period. Fortunately, It is still possible to mint NFT after temp.endTime because the following check is not done...

Use of payable.transfer() may lock user funds

Lines of code Vulnerability details Impact The use of payable.transfer is heavily frowned upon because it can lead to the locking of funds. The transfer call requires that the recipient has a payable callback, only provides 2300 gas for its operation. This means the following cases can cause the...

Sale contracts use address.transfer method

Lines of code Vulnerability details Impact The FixedPrice, LPDA & OpenEdition contracts uses payableaddress.transfer method to send ETH which is unsafe. EIP1884 increases the gas cost certain opcodes, possibly making contracts go over the 2300 gas limit by transfer, making them unable to receive...

Users can lose funds if they call buy with _amount larger than type(uint48).max.

Lines of code Vulnerability details Impact The function buy take amount of type uint256 as input. amount is used to check if msg.value is correct depending on the sale price as follows: requireamount sale.price == msg.value, "WRONG PRICE"; but is not casted to uint48 as done to calculate the newI...

transfer is used on address payable

Lines of code Vulnerability details Proof of Concept The codebase makes heavy use of the deprecated transfer function of address payable. Its will inevitably make the transaction fail when: 1. The receiver smart contract does not implement a payable function. 2. The receiver smart contract does...

LPDA.sol and FixedPrice.sol will lock the funds forever

Lines of code Vulnerability details Impact Possibility of IDs collision The ether will be locked on FixedPrice or LPDA Proof of Concept On the same Escher721 Let’s say the first collection start from id = 0 and end on id = 10 So the next collection of the same Escher721 We can say the next part o...

call() should be used instead of transfer() on an address payable

Lines of code Vulnerability details Impact call should be used instead of transfer on an address payable Proof of Concept The use of the deprecated transfer function for an address will inevitably make the transaction fail when: 1. The claimer smart contract does not implement a payable function...

Users will get a low amount of NFT if they try to buy a lot of them

Lines of code Vulnerability details Impact If user calls buyamount with a value larger than uint48 it will overflow during casting identical to amount = amount % typeuint48.max and cause unexpected behavior for the user. When a user pays a lot of money for a large amount of NFT, but instead they...

Possible negative price on LPDA causes sale and refund mechanism to not working

Lines of code Vulnerability details Impact Possible negative price on LPDA causes sale and refund mechanism to not working Proof of Concept function getPrice public view returns uint256 Sale memory temp = sale; uint256 start, uint256 end = temp.startTime, temp.endTime; if block.timestamp...

NFTs mintable after Auction deadline expires

Lines of code Vulnerability details Impact The buy function on the LPDA.sol contract is not validating if the auction is still running, allowing a purchase to be made after the stipulated time. The endtime variable used to store the end date of the auction is not used at any point to validate...

There isn't an end time on FixedPrice and LPDA sales, and the sale can't be canceled after the sale start.

Lines of code Vulnerability details Impact The sale can't be canceled after the sale start. Moreover, the sale won't end, which contradict the fact that typical NFT sales nowadays have an end time. Even your OpenEdition have an end time. Proof of Concept struct Sale // slot 1 uint48 currentId;...

Lack of verification for _uri parameter in createContract() function in Escher721Factory contract

Lines of code Vulnerability details Impact The impact of this vulnerability is that an attacker could potentially manipulate the token URI for any given token ID in the Escher721 contract created by the Escher721Factory contract. This could potentially allow the attacker to trick users into...

overflow in buy function

Lines of code Vulnerability details Impact the function doesn't check if the input is more the supply Proof of Concept the function doesn't have any condition check of amount Tools Used manually Recommended Mitigation Steps check the input for maximum or requirement for max supply --- The text wa...

The LPDA will keep minting NFTs after the endTime

Lines of code Vulnerability details Impact The users would keep minting from LPDA even if the end time was reached Proof of Concept Please copy the following test on LPDA.t.sol import IEscher721 from "../src/interfaces/IEscher721.sol"; function testRevertsWhenEndedBuy public testBuy; // the testB...

User can pass auction recovery health check easily with flashloan

Lines of code Vulnerability details Description ParaSpace features an auction mechanism to liquidate user's NFT holdings and receive fair value. User has the option, before liquidation actually happens but after auction started, to top up their account to above recovery factor 1.5 instead of 1 an...

Artist will never get their payout for their NFT in FixedPrice and OpenEdition

Lines of code Vulnerability details Impact There is no logic for transferring Ether that artist gain from their NFT sales in both FixedPrice and OpenEdition contracts. For these 2 contracts there is only logic for transferring 5% fee to the protocol. Therefore, artist will gain nothing from selli...

Not possible to finish LPDA after endTime

Lines of code Vulnerability details Vulnerability details The only way to finish the sale is when newId == temp.finalId, making not possible to finish LPDA even if the endTime is already over POC There isn't any function to finalize the LPDA sale even if already finished the sale, the only way to...

LPDA sales can potentially have buying function reverting indefinately due to negative price

Lines of code Vulnerability details Impact While i'm assuming there are checks for this on UI or off-chain, this wasn't mentioned in the docs or the comments, so its worth flagging and possibly implementating the mitigation step as a precaution since it is also cheap on gas. The price can...

THE FUNCTION LOGIC OF _REMOVEFEEDER() IS FLAWED

Lines of code Vulnerability details Impact When the admin calls removeFeeder, it will internally call removeFeeder that will have the feeder removed from feeders before getting its UPDATEROLE revoked. In the midst of doing this, the protocol forgets to update index of feederPositionMap belonging ...

LPDA refund logic is broken, meaning buyers always get lowest price sale

Lines of code Vulnerability details Impact The protocol intends the LPDA to refunds buyers with the difference between the price they paid and the last sale price Once the sale has ended, the users must call refund to get their Ether refunds based on their purchase price and lowest sale price 99:...

Unsafe casting from uint256 to uint8 cause wrong index of asset and feeder in NFTFloorOracle

Lines of code Vulnerability details Impact In NFTFloorPrice, it has a set of feeders and a set of assets. Feeders will set price for assets. Of coursers, with the growing NFT space, number of assets collection could be much more than 256 and because Paraspace uses median price from keepers so...