Platform: Code4rena
Start Date: 27/04/2022
Pot Size: $50,000 MIM
Total HM: 6
Participants: 59
Period: 5 days
Judge: 0xean
Id: 113
League: ETH
Rank: 46/59
Findings: 1
Award: $72.39
π Selected for report: 0
π Solo Findings: 0
π Selected for report: IllIllI
Also found by: 0x1337, 0x1f8b, 0xDjango, 0xf15ers, AuditsAreUS, BowTiedWardens, CertoraInc, Funen, GimelSec, MaratCerby, Ruhum, WatchPug, antonttc, berndartmueller, bobi, bobirichman, broccolirob, catchup, cccz, defsec, delfin454000, gs8nrv, gzeon, horsefacts, hubble, hyh, ilan, jah, joestakey, kebabsec, kenta, kenzo, m9800, mics, oyc_109, pauliax, reassor, robee, samruna, sikorico, simon135, throttle, unforgiven, z3s
72.3862 MIM - $72.39
https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/NFTPairWithOracle.sol#L295
NFT unrecoverable. Lender might not be able to handle NFT collateral if not implemented onERC721Received() function.
When Lender forcibly closes the Loan via removeCollateral() function, the loan.lender address gets the NFT collateral.
If that address doesn't support NFTs then the asset is unrecoverable.
https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/NFTPairWithOracle.sol#L295
Manual review
Possible mitigation:
safeTransferFrom()#0 - cryptolyndon
2022-05-05T21:34:56Z
I feel it's reasonable to expect that a party choosing to lend against NFT collateral can handle it. I see that part of the report as a duplicate of #20.
However, the "to" convenience parameter is no longer available when "liquidating" loans as a third party, and that restriction is not quite necessary; if the lender is also the caller, then "to" can be another address. So I'm marking that person (well, suggesting that it be marked) this as non-critical instead.
Suggested severity: 0
#1 - 0xean
2022-05-21T14:43:01Z
Downgrading to QA.
#2 - JeeberC4
2022-05-23T19:02:49Z
Preserving original title: NFT unrecoverable. Lender might not be able to handle NFT collateral if not implemented onERC721Received() function.