Based on the context, and given the volatility of the NFT market, the DAO may give the same NFT at different prices at different times.
When that happens, in the current implementation, the locked JPEG tokens belonging to the previous owner will be frozen in the contract as the record will be overwritten by the new lock.
PoC
Given:
creditLimitRate: 50%
valueIncreaseLockRate: 30%
DAO setPendingNFTValueETH() for Alice's NFT#1 with a price of 10 ETH;
Alice finalizePendingNFTValueETH() and locked 1.5 ETH worth of JPEG tokens;
DAO adjusted the assessment and setPendingNFTValueETH() for Alice's NFT#1 with a price of 20 ETH;
Alice finalizePendingNFTValueETH() and locked 3 ETH worth of JPEG tokens.
The 1.5 ETH worth of JPEG tokens locked in step 2 won't be able to be unlocked as the LockPosition was overwritten in step 4.
spaghettieth
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/lock/JPEGLock.sol#L49-L63
Vulnerability details
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/lock/JPEGLock.sol#L49-L63
Based on the context, and given the volatility of the NFT market, the DAO may give the same NFT at different prices at different times.
When that happens, in the current implementation, the locked JPEG tokens belonging to the previous owner will be frozen in the contract as the record will be overwritten by the new lock.
PoC
Given:
setPendingNFTValueETH()for Alice's NFT#1 with a price of10 ETH;finalizePendingNFTValueETH()and locked1.5 ETHworth ofJPEGtokens;setPendingNFTValueETH()for Alice's NFT#1 with a price of20 ETH;finalizePendingNFTValueETH()and locked3 ETHworth ofJPEGtokens.The
1.5 ETHworth ofJPEGtokens locked in step 2 won't be able to be unlocked as theLockPositionwas overwritten in step 4.Recommendation
Change to: