Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

`liquidationThreshold` is applied erroneously to Debt instead of Collateral; borrowers can borrow more than colateral value and drain the pool

alexczm

Summary

An erroneously multiplication with liquidationThreshold allows borrowers to borrow more than the value of collateral deposited.

Vulnerability Details

Borrowers can deposit RAACNfts as colateral in LendingPool and borrow against them.
borrow function has the following check: if(collateralValue < userTotalDebt.percentMul(liquidationThreshold))

function borrow(uint256 amount) external nonReentrant whenNotPaused onlyValidAmount(amount) {

...

uint256 collateralValue = getUserCollateralValue(msg.sender);

if (collateralValue == 0) revert NoCollateral();

...

// Fetch user's total debt after borrowing

uint256 userTotalDebt = user.scaledDebtBalance.rayMul(reserve.usageIndex) + amount;

// Ensure the user has enough collateral to cover the new debt

@> if (collateralValue < userTotalDebt.percentMul(liquidationThreshold)) {

revert NotEnoughCollateralToBorrow();

}

liquidationThreshol is initialized to BASE_LIQUIDATION_THRESHOLD = 80 * 1e2; and can't be set to a value bigger than 1e4

// LendingPool.sol

function setParameter(OwnerParameter param, uint256 newValue) external override onlyOwner {

if (param == OwnerParameter.LiquidationThreshold) {

@> require(newValue <= 100_00, "Invalid liquidation threshold");

liquidationThreshold = newValue;

...

Going back to borrow's check and using the initialization's value for liquidationThreshold, we have the following:

if (collateralValue < 0.8 * debt) revert()

This means that borrower can borrow an amount up to 25% greater than the collateral's value.
Repeating this cycle (buy NFT, deposit it as colatereal, borrow), anyone can drain the pool.

There's a second instance of this erroneously multiplication in withdrawNft function.

Impact

Anyone can drain the LendingPool.

Tools Used

Recommendations

Multiply liquidationThreshold by collateralValue, not userTotalDebt.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

LendingPool::borrow as well as withdrawNFT() reverses collateralization check, comparing collateral < debt0.8 instead of collateral0.8 > debt, allowing 125% borrowing vs intended 80%

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.