Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

`LendingPool::borrow` Lacks Buffer Liquidity Check Allowing Full Liquidity Drainage

0xdarko

Summary

The LendingPool::borrow function fails to enforce the protocol's liquidity buffer ratio, allowing users to borrow all available liquidity and potentially leaving the protocol unable to process withdrawals.

Vulnerability Details

[](https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/pools/LendingPool/LendingPool.sol#L325C3-L369C6)

[](https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/pools/LendingPool/LendingPool.sol#L92C1-L93C56)

The protocol has a liquidityBufferRatio set to 20% (2000 basis points):

uint256 public liquidityBufferRatio = 20_00; // 20%

However, in the borrow function, while collateral checks are performed, there is no check to ensure the borrow respects the buffer ratio:

function borrow(uint256 amount) external {

// Checks collateral

if (collateralValue < userTotalDebt.percentMul(liquidationThreshold)) {

revert NotEnoughCollateralToBorrow();

}

// Missing check for buffer ratio

// Should have:

// if (amount > reserve.totalLiquidity * (100 - liquidityBufferRatio) / 100)

// revert ExceedsLiquidityBuffer();

}

This allows borrowers to drain all liquidity from the protocol, even though 20% should be reserved as a buffer.
Example:

Total liquidity: 1000 tokens
Buffer requirement: 200 tokens (20%)
Maximum borrowable should be: 800 tokens
Current implementation allows borrowing all 1000 tokens

Impact

The lack of buffer check:

Allows complete drainage of protocol liquidity
Prevents protocol from maintaining required safety buffer
Could block withdrawals from depositors
Breaks core protocol features

Tools Used

Foundry

Recommendations

Add the following error to ILendingPool

error NotEnoughCollateralToBorrow();

Add buffer ratio check in borrow function:

function borrow(uint256 amount) external {

+ if (amount > reserve.totalLiquidity * (100 - liquidityBufferRatio) / 100) {

+ revert ExceedsLiquidityBuffer();

+ }

if (collateralValue < userTotalDebt.percentMul(liquidationThreshold)) {

revert NotEnoughCollateralToBorrow();

}

...

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Validated

Assigned finding tags:

LendingPool::borrow allows borrowing beyond the 20% liquidity buffer ratio, potentially depleting available liquidity and affecting user withdrawals

Appeal created

anonymousjoe Auditor

10 months ago

inallhonesty Lead Judge

10 months ago

inallhonesty Lead Judge

10 months ago

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

LendingPool::borrow allows borrowing beyond the 20% liquidity buffer ratio, potentially depleting available liquidity and affecting user withdrawals

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!