Insufficient Collateral Validation in Borrow Function Allows Excess Debt
Summary
The borrow function checks collateralization after updating state instead of validating the requested amount upfront.
Vulnerability Details
The LendingPool contract allows users to borrow amounts that exceed their safe collateralization ratio. When a user with 1,000,000 worth of collateral attempts to borrow 900,000 tokens, the transaction will succeeds despite the liquidation threshold of 80% limiting the maximum borrow to 800,000 tokens.
Let's say a user deposits collateral worth 1,000,000 tokens. They then call borrow(900000). The contract updates the debt before validating against the liquidation threshold, allowing the position to become undercollateralized. This creates an immediate liquidation opportunity and puts protocol funds at risk.
This allows users to take on more debt than their collateral supports, creating undercollateralized positions. This puts the protocol's solvency at risk and could trigger a cascade of liquidations if asset prices decline.
Impact
The LendingPool allows borrowing amounts that exceed the safe collateralization ratio, putting the protocol at risk of undercollateralized positions.
Recommendations
Add pre-validation of borrow amount
Lead Judging Commences
LendingPool::borrow as well as withdrawNFT() reverses collateralization check, comparing collateral < debt*0.8 instead of collateral*0.8 > debt, allowing 125% borrowing vs intended 80%
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.