LendingPool's borrow() function permits borrowing up to 80% (liquidationThreshold) of collateral value
Summary
The LendingPool contract's collateralization checks allow users to borrow up to the full liquidation threshold, creating positions that are immediately vulnerable to liquidation. This design flaw undermines the protocol's risk management.
Vulnerability Details
The LendingPool's borrow() function permits borrowing up to 80% (liquidationThreshold) of collateral value: LendingPool#L344-L345
See this flow, a user deposits 100 ETH as collateral when ETH = $2000. They can borrow up to 80% ($160,000). If ETH drops just 1% to $1980, their position becomes liquidatable, as their collateral value ($198,000) falls below the required threshold.
Because the borrow() function uses the liquidation threshold directly as the borrowing limit, rather than maintaining a safety buffer between the maximum borrow amount and the liquidation threshold.
Impact
This vulnerability creates systemic risk by allowing positions to be created at the liquidation threshold, making them immediately vulnerable to market volatility. Users can borrow up to exactly 80% of their collateral value, making them immediately vulnerable to liquidation if prices decline even slightly.
Recommendations
Lead Judging Commences
LendingPool::borrow as well as withdrawNFT() reverses collateralization check, comparing collateral < debt*0.8 instead of collateral*0.8 > debt, allowing 125% borrowing vs intended 80%
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.