users continue to accrue interest with their RTokens even after being liquidated
In LendingPool contract, users can borrow interest-bearing RTokens with their deposited NFTs as collateral by calling the borrow function. When a user’s health factor falls below a certain threshold, they get liquidated and their NFTs are seized, and their debt is updated accordingly. However, there is no action done in liquidation regarding those interest-bearing RTokens the liquidated user borrowed. Which means that they will continue to accrue interest even after the user is liquidated.
So, a liquidated user can just wait for a certain (arbitrary) amount of time and call LendingPool::withdraw to withdraw their interest-accrued tokens even though they had been liquidated.
Imagine the scenario where a user gets liquidated, their NFTs price erases all their debt, and they withdraw their tokens long after their liquidation to effectively steal interest from the protocol.
Impact
The liquidated user will essentially be able to steal rewards from the protocol/other users since their position won't be backed by any collateral.
Recommendation
You can consider burning RTokens on liquidation also, or mark that that user has been liquidated and cannot withdraw anymore.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.