Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

DOS Attack via Unbounded NFT Array in LendingPool

oct0pwn

Summary

The LendingPool contract contains an unbounded array nftTokenIds within its UserData struct that can be manipulated by users to trigger out-of-gas (OOG) exceptions in critical functions, particularly affecting the liquidation process. This vulnerability could prevent the liquidation of undercollateralized positions, putting the protocol's solvency at risk.

Vulnerability Details
The vulnerability stems from the nftTokenIds array in the UserData struct that can grow without bounds through repeated calls to depositNFT(). This array is iterated in several critical functions:

// In LendingPool.sol
function finalizeLiquidation(address userAddress) external nonReentrant onlyStabilityPool {
// ... other code ...
UserData storage user = userData[userAddress];
// This loop can be forced to consume excessive gas
for (uint256 i = 0; i < user.nftTokenIds.length; i++) {
uint256 tokenId = user.nftTokenIds[i];
user.depositedNFTs[tokenId] = false;
raacNFT.transferFrom(address(this), stabilityPool, tokenId);
}
// ... other code ...
}

The array is also iterated in other functions that calculate collateral value:

function getUserCollateralValue(address userAddress) public view returns (uint256) {
UserData storage user = userData[userAddress];
uint256 totalValue = 0;
// This loop can also be forced to consume excessive gas
for (uint256 i = 0; i < user.nftTokenIds.length; i++) {
uint256 tokenId = user.nftTokenIds[i];
uint256 price = getNFTPrice(tokenId);
totalValue += price;
}
return totalValue;
}

A malicious user could:

  1. Take out loans

  2. Deposit a large number of low-value NFTs through multiple calls to depositNFT()

  3. Let their position become undercollateralized

  4. The large number of NFTs would cause the liquidation to fail due to OOG

Impact

The impact of this vulnerability is rated as high because the attack creates a direct risk to protocol solvency by preventing the liquidation mechanism from functioning properly. When positions cannot be liquidated, the protocol may accumulate bad debt.

The vulnerability directly affects critical protocol functionality: liquidations are essential for maintaining protocol solvency and protecting lenders' assets.

Recommendations

Implement a maximum limit on NFTs per user:

uint256 public constant MAX_NFTS_PER_USER = 50;
function depositNFT(uint256 tokenId) external nonReentrant whenNotPaused {
UserData storage user = userData[msg.sender];
require(user.nftTokenIds.length < MAX_NFTS_PER_USER, "Too many NFTs");
// ... rest of the function
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

LendingPool: Unbounded NFT array iteration in collateral valuation functions creates DoS risk, potentially blocking liquidations and critical operations

LightChaser L-36 and M-02 covers it.

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

LendingPool: Unbounded NFT array iteration in collateral valuation functions creates DoS risk, potentially blocking liquidations and critical operations

LightChaser L-36 and M-02 covers it.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.