Buyout griefing can block almost all functionalities

[code423n4]

Lines of code

https://github.com/code-423n4/2022-07-fractional/blob/main/src/modules/Buyout.sol#L57

Vulnerability details

Impact

Everyone can start a Buyout for a vault by paying only 1 wei. For the next 4 days no other Buyout can start. If someone is fast enough, they can start another griefing buyout as soon as one finishes, meaning that it's possible to block the functionality of the contract forever.

Among others, these are functionality impacted: 1) it blocks serious buyouts (obv.); 2) it blocks redeem, meaning that even if someone has 100% the fractional tokens of a vault, they will never get the NFT back; 3) it blocks any migration, since the buyout needs to be inactive for every step; 4) all funds in Migration.sol can't be withdrawn, since leave wants the buyout inactive;

Blocking buyouts and migrations will make fractional tokens worthless, since there's no way to get the underlying back.

Proof of Concept

https://github.com/code-423n4/2022-07-fractional/blob/main/src/modules/Buyout.sol#L57 https://github.com/code-423n4/2022-07-fractional/blob/main/src/modules/Migration.sol#L148-L150

Recommended Mitigation Steps

Consider allowing to overwrite a buyout with another with better price. Alternatively, allow multiple buyouts active at the same time using an index, like with migration's proposals.

Also add a require(depositAmount > 0) in Buyout.start, so someone who has 100% of tokens can redeem immediately without a griefer making him wait.

[0x0aa0]

Duplicate of #87

[HardlyDifficult]

Duping to https://github.com/code-423n4/2022-07-fractional-findings/issues/204