Issue: NFT valuation is dependent on the NFTX fractional token price. The peg of that token to the actual NFT underlying price is dependent on arbitrageurs. If the NFTx token depegs for any reason, or the pool has low liquidity, the Bunker protocol will recieve faulty floor price information.
Proof of Concept
Fair market value of example NFT is 1 ETH
The NFTX pair on UniV2 has 1 ETH and 1 NFTX wrapper token
User sells 1 NFTX wrapper token into the pair, recieving 0.5 ETH. The marginal price is now 0.25 ETH/wNFT
No arbitrage takes place over the 30minute period of the TWAP
Bunker now thinks the floor is 0.25 ETH
Loans can now be unfairly liquidated and collateral NFTs siezed
Alternate proof of concept:
Fair market value of example NFT is 1 ETH
The NFTX pair on UniV2 has 1 ETH and 1 NFTX wrapper token
User sells 1 ETH into the pair, recieving 0.5 wrapper token. The marginal price is now 4 ETH/wNFT
No arbitrage takes place over the 30minute period of the TWAP
Bunker now thinks the floor is 4 ETH
Undercollateralized loans can now be taken out, protocol loses fungible assets
Mitigations
Use a more robust Chainlink oracle feed which integrates multiple sources
At the governance/operation level, only add collateral NFTs with robust demand and deep liquidity pools
Consider operating arbitrage bots as a protocol, to ensure the health of the underlying pool prices
Lines of code
https://github.com/bunkerfinance/bunker-protocol/blob/752126094691e7457d08fc62a6a5006df59bd2fe/contracts/Oracles/UniswapV2PriceOracle.sol#L24
Vulnerability details
Issue: NFT valuation is dependent on the NFTX fractional token price. The peg of that token to the actual NFT underlying price is dependent on arbitrageurs. If the NFTx token depegs for any reason, or the pool has low liquidity, the Bunker protocol will recieve faulty floor price information.
Proof of Concept
Alternate proof of concept:
Mitigations