Loss of Assets Via Inaccurate NFTX Pricing

[code423n4]

Lines of code

https://github.com/bunkerfinance/bunker-protocol/blob/752126094691e7457d08fc62a6a5006df59bd2fe/contracts/Oracles/UniswapV2PriceOracle.sol#L24

Vulnerability details

Issue: NFT valuation is dependent on the NFTX fractional token price. The peg of that token to the actual NFT underlying price is dependent on arbitrageurs. If the NFTx token depegs for any reason, or the pool has low liquidity, the Bunker protocol will recieve faulty floor price information.

Proof of Concept

• Fair market value of example NFT is 1 ETH
• The NFTX pair on UniV2 has 1 ETH and 1 NFTX wrapper token
• User sells 1 NFTX wrapper token into the pair, recieving 0.5 ETH. The marginal price is now 0.25 ETH/wNFT
• No arbitrage takes place over the 30minute period of the TWAP
• Bunker now thinks the floor is 0.25 ETH
• Loans can now be unfairly liquidated and collateral NFTs siezed

Alternate proof of concept:

• Fair market value of example NFT is 1 ETH
• The NFTX pair on UniV2 has 1 ETH and 1 NFTX wrapper token
• User sells 1 ETH into the pair, recieving 0.5 wrapper token. The marginal price is now 4 ETH/wNFT
• No arbitrage takes place over the 30minute period of the TWAP
• Bunker now thinks the floor is 4 ETH
• Undercollateralized loans can now be taken out, protocol loses fungible assets

Mitigations

• Use a more robust Chainlink oracle feed which integrates multiple sources
• At the governance/operation level, only add collateral NFTs with robust demand and deep liquidity pools
• Consider operating arbitrage bots as a protocol, to ensure the health of the underlying pool prices

[bunkerfinance-dev]

We were always aware that this is an issue, so for now we plan to only use NFTs with a high amount of NFTx liquidity.