Closed code423n4 closed 2 years ago
This is not a vulnerability since anyone can see this before interacting with the vault and the valuation of tokens should reflect this. Setting a max in the contract requires selecting an arbitrary value and it may be more appropriate for the frontend to suggest a limit here. This is a fair concern and potential consideration for the documentation and any integrators. Lowering the severity and merging with the warden's QA report #285
Lines of code
https://github.com/code-423n4/2022-06-nibbl/blob/8c3dbd6adf350f35c58b31723d42117765644110/contracts/NibblVaultFactory.sol#L52
Vulnerability details
Impact
There is no validation being done on the minBuyoutTime when a vault is being initialized.
Proof of Concept
Consider the case where a malicious actor sets a minBuyoutTime in the far distant future, let's say 300 years for example. Users are still able to buy and sell fractionalized tokens that some may consider valueless. Users may not necessarily know that their tokens won't be available for a buyout until the far distant future.
https://github.com/code-423n4/2022-06-nibbl/blob/8c3dbd6adf350f35c58b31723d42117765644110/contracts/NibblVaultFactory.sol#L46
Tools Used
Recommended Mitigation Steps
Perform validation on the minBuyoutTime when a vault is initialized. Somewhere in the following lines: https://github.com/code-423n4/2022-06-nibbl/blob/8c3dbd6adf350f35c58b31723d42117765644110/contracts/NibblVaultFactory.sol#L48-L52
Could perform some arbitrary validation on some predetermined time constraint that makes sense.