Tokens can be borrowed with being undercollateralized
Impact
High
Likelihood
Very high
Description
The LendingPool.sol is the contract used for the main the lending and borrowing pool in RAAC protocol. The users can borrow against the NFTs, he has deposited as collateral. However, if we see the following code from the LendingPool::Borrow()
For context =>By default liquidationThreshold =80e2 and cannot be more than 100e2
we can see the code interestingly compares collateralValue < userTotalDebt.percentMul(LiquidationThreshold). Which means the collateralValue cannot be less than that. However, If we see how that is calculated
There can be be a case where the collateral amount would be
userTotalDebt.percentMul(liquidationThreshold) < CollateralValue =< userTotalDebt
Example=>
User Debt before this transaction = 0
User wants to take a loan of Amount = 100 Ether
LiquidationThreshold = 80 e2
HALF_PERCENTAGE_FACTOR=0.5e4
percentage_Factor= 1e4
Then Required collateral would be => 80.5 ETHER
Which will result in the loan in being undercollateralized. This will mean that the person can have 100ETHER worth of loan with just 80.51 Ether of collateral.
Note-> The Report DOES NOT states that the problem is with accounting library
This will mean that any person can get a loan as long as he has a collateral above 80.5 ETHER
and hence 80.5Ether <100Ether , it will be undercollateralized.
Mitigation
-
Lead Judging Commences
LendingPool::borrow as well as withdrawNFT() reverses collateralization check, comparing collateral < debt*0.8 instead of collateral*0.8 > debt, allowing 125% borrowing vs intended 80%
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.