If the dao turned malicious (which can happen by a governance attack by buying a significant stake of jpeg) it could lower the liquidation rate to 0 and liquidate all positions. To lower the liquidation rate the dao would first need to lower the credit limit rate to 0 to bypass the check creditLimitRate < Liquidation rate
A user may take a loan at a specific liquidation rate and then rules can be changed to force liquidation at an unfair rate.
If the value of the locked NFTs is higher than the price of 51% of the jpeg total supply this attack can be profitable if performed by a liquidator.
The DAO could perform this attack and it would get all the locked NFTs making a huge profit for the DAO since positions are over collateralized. Solving this issue would make the protocol more trustless and more immune to governance attacks.
Recommended Mitigation Steps
Add a minimum liquidation rate. The liquidation rate should never be 0 which would allow instant liquidation of all positions. The current check of creditLimitRate < LiquidationRate doesn't work since the credit limit rate can also be lowered to 0.
Lines of code
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/vaults/NFTVault.sol#L247
Vulnerability details
Proof of Concept
If the dao turned malicious (which can happen by a governance attack by buying a significant stake of jpeg) it could lower the liquidation rate to 0 and liquidate all positions. To lower the liquidation rate the dao would first need to lower the credit limit rate to 0 to bypass the check creditLimitRate < Liquidation rate
A user may take a loan at a specific liquidation rate and then rules can be changed to force liquidation at an unfair rate.
If the value of the locked NFTs is higher than the price of 51% of the jpeg total supply this attack can be profitable if performed by a liquidator.
The DAO could perform this attack and it would get all the locked NFTs making a huge profit for the DAO since positions are over collateralized. Solving this issue would make the protocol more trustless and more immune to governance attacks.
Recommended Mitigation Steps
Add a minimum liquidation rate. The liquidation rate should never be 0 which would allow instant liquidation of all positions. The current check of creditLimitRate < LiquidationRate doesn't work since the credit limit rate can also be lowered to 0.