Core Contracts

Summary

The NFTLiquidator contract relies on the StabilityPool for executing NFT liquidations and handling auction proceeds. However, the setStabilityPool function lacks proper validation, allowing the owner to set it to address(0) or an invalid address. If incorrectly configured, this could lead to failed liquidations and potential loss of funds.

Vulnerability Details

The setStabilityPool function allows arbitrary assignment of the StabilityPool address without verification. If set to address(0) or an incorrect address, the liquidation mechanism will break, as only the StabilityPool is authorized to call liquidateNFT(). Auction proceeds are directed to the StabilityPool, meaning an incorrect address could lead to fund misdirection or total loss.

Impact

• Liquidation Failure: If the StabilityPool address is misconfigured, NFTs cannot be liquidated, leading to protocol insolvency risks.

• Loss of Auction Proceeds: Auction proceeds sent to an incorrect or compromised address would be irrecoverable.

• Exploitation of StabilityPool: If the StabilityPool contract is compromised or upgraded incorrectly, an attacker could:

  1. Force liquidate any NFT via liquidateNFT().

  2. Steal auction proceeds since they are sent to the StabilityPool address.

  3. Manipulate the auction process to create an unfair advantage or extract funds from the protocol.

Attack Scenario

1. The contract owner mistakenly sets the StabilityPool to address(0).

2. No liquidations can occur since the liquidateNFT() function is restricted to StabilityPool.

3. Borrowers holding undercollateralized positions are not liquidated, resulting in protocol losses.

4. Alternatively, an attacker sets the StabilityPool address to a malicious contract, intercepting all auction proceeds.

Recommendations

Input Validation: Ensure setStabilityPool only accepts valid contract addresses using