Platform: Code4rena
Start Date: 16/12/2022
Pot Size: $60,500 USDC
Total HM: 12
Participants: 58
Period: 5 days
Judge: Trust
Total Solo HM: 4
Id: 196
League: ETH
Rank: 45/58
Findings: 1
Award: $43.54
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: yixxas
Also found by: 0x52, 0xAgro, 0xSmartContract, 0xhacksmithh, Aymen0909, Bnke0x0, Bobface, Breeje, Diana, Franfran, HE1M, HollaDieWaldfee, IllIllI, Jeiwan, RaymondFam, Rolezn, SaharDevep, Secureverse, SmartSek, ak1, bin2chen, brgltd, chrisdior4, gz627, imare, ladboy233, lukris02, oyc_109, rvierdiiev, shark, tnevler, unforgiven, wait
43.5439 USDC - $43.54
https://github.com/with-backed/papr/blob/9528f2711ff0c1522076b9f93fba13f88d5bd5e6/src/PaprController.sol#L101 https://github.com/with-backed/papr/blob/9528f2711ff0c1522076b9f93fba13f88d5bd5e6/src/PaprController.sol#L164
Some NFTs collections can send airdops for their holders. One such collection are the MoonBirds. And send airdrops like this one.
When a users adds NFT as collateral with PaprController::addCollateral the PaprController contract becomes the new owner
PaprController contract is using onERC721Received callback function as a convenience/shortcut when a user deposits his/hers NFT to transfer/mint paper/sell the NFT in one go instead of calling additional functions (_addCollateral, increaseDebt, increaseDebtAndSell)
A possible airdrop will fail because the transaction will revert inside onERC721Received when decoding the IPaprController.OnERC721ReceivedArgs
Owners who transfer their NFTs to PaprController will lose a possible airdrop reward.
Manual review
A possible solution would be to
inside onERC721Received function to decode data parameter only if there is something to decode (data.length != 0) so we don't risk to revert the transaction.
But we still have a problem that from parameter is the new owner (PaprController) and not the original owner who transferred the NFT. We have a problem how to bind the airdrop to the correct owner.
Additionally to all of the above such a collection should also be set as allowed which can only be done by the PaprController contract owner with setAllowedCollateral
Considering all of this there should be a simpler solution for such airdrop to be directly converted to PaprToken.. but again the TWAP/oracle price would need to exist for such action to go immediately trough.
Or even simpler solution would be to implement a recover functionality for the contract owner so the token doesn't get stuck inside the contract and when recovered decide how the NFT token will be distributed among rightful owners.
#0 - trust1995
2022-12-25T15:48:37Z
This is more of a feature request than a M severity issue.
#1 - c4-judge
2022-12-25T15:48:44Z
trust1995 changed the severity to QA (Quality Assurance)
#2 - c4-judge
2022-12-25T17:24:08Z
trust1995 marked the issue as grade-b