The protocol allows the DAO to set the value in ETH of the NFT at index _nftIndex using setPendingNFTValueETH after a governance vote.
After this the user is supposed to call finalizePendingNFTValueETH to lock up JPEG to make the change in value of the NFT effective.
However there is no deadline set for calling the finalizePendingNFTValueETH. This time gap enables an opportunity for exploit / misuse.
Example,
Step1: After governance vote, the DAO sets the value in ETH of the NFT at index 55 to value 1000
Step2: The user waits for a good amount of time for any price correction in the value of NFT in ETH, say the market price drops to 750
Step3: The user then calls finalizePendingNFTValueETH and is able to lock up JPEG and get higher credit limit of the NFT with previous valuation (1000).
Effectively the user is getting higher credit even though the current value of collateral is less than actual.
Proof of Concept
Contract : vaults/NFTVault.sol
Function : setPendingNFTValueETH()
Recommended Mitigation Steps
Define a deadline in timestamp or number of blocks until when the user has to call the finalizePendingNFTValueETH after setPendingNFTValueETH.
So if user calls finalizePendingNFTValueETH after the deadline, the offer for higher credit is not valid.
Lines of code
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/vaults/NFTVault.sol#L343-L381
Vulnerability details
The protocol allows the DAO to set the value in ETH of the NFT at index
_nftIndex
using setPendingNFTValueETH after a governance vote. After this the user is supposed to call finalizePendingNFTValueETH to lock up JPEG to make the change in value of the NFT effective. However there is no deadline set for calling the finalizePendingNFTValueETH. This time gap enables an opportunity for exploit / misuse.Example, Step1: After governance vote, the DAO sets the value in ETH of the NFT at index 55 to value 1000
Step2: The user waits for a good amount of time for any price correction in the value of NFT in ETH, say the market price drops to 750 Step3: The user then calls finalizePendingNFTValueETH and is able to lock up JPEG and get higher credit limit of the NFT with previous valuation (1000).
Effectively the user is getting higher credit even though the current value of collateral is less than actual.
Proof of Concept
Contract : vaults/NFTVault.sol Function : setPendingNFTValueETH()
Recommended Mitigation Steps
Define a deadline in timestamp or number of blocks until when the user has to call the finalizePendingNFTValueETH after setPendingNFTValueETH. So if user calls finalizePendingNFTValueETH after the deadline, the offer for higher credit is not valid.