Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

LendingPool: Incorrect Debt-to-Collateral Health Check During WithdrawNFT

ace_30

Summary

LendingPool: The health check in withdrawNFT function should ensure that the collateral value, adjusted by the liquidation threshold, is greater than or equal to the user’s total debt. However, the current check multiplies the total debt by the liquidation threshold instead of multiplying the collateral value by it, leading to an incorrect evaluation of borrowing eligibility.

Vulnerability Details

withdrawNFT function checks for loan health:

if (collateralValue - nftValue < userDebt.percentMul(liquidationThreshold)) {
revert WithdrawalWouldLeaveUserUnderCollateralized();
}

Assume:

  • LiquidationThreshold=80%

  • collateralValue-nftValue = $1000

  • userTotalDebt = $1200

  • The chaeck 1000 < 1200*80% is False

    so It will not revert and user can withdraw NFT and his debt will be more than remaining collateral value!

Impact

The user can withdraw NFT and his debt will be more than their actual collateral value.

Lenders should pay for bad debts and lose money.

Tools Used

vscode

Recommendations

if ((collateralValue - nftValue).percentMul(liquidationThreshold) < userDebt) {
revert NotEnoughCollateralToBorrow();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::borrow as well as withdrawNFT() reverses collateralization check, comparing collateral < debt*0.8 instead of collateral*0.8 > debt, allowing 125% borrowing vs intended 80%

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.