Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Liquidated NFTs stay in Stability Pool forever

heliosophistxiv

Summary

When a user's position is liquidated, his NFTs are transferred to the stability pool. However, the stability pool has no functionality implemented to transfer the NFTs, therefore they are stuck forever.

Vulnerability Details

The entry point for liquidations is in StabilityPool.sol:L449. After performing some logic, the finalizeLiquidation(address)function is called on lendingPool.

function liquidateBorrower(address userAddress) external onlyManagerOrOwner nonReentrant whenNotPaused {

_update();

// Get the user's debt from the LendingPool.

uint256 userDebt = lendingPool.getUserDebt(userAddress);

uint256 scaledUserDebt = WadRayMath.rayMul(userDebt, lendingPool.getNormalizedDebt());

if (userDebt == 0) revert InvalidAmount();

uint256 crvUSDBalance = crvUSDToken.balanceOf(address(this));

if (crvUSDBalance < scaledUserDebt) revert InsufficientBalance();

// Approve the LendingPool to transfer the debt amount

bool approveSuccess = crvUSDToken.approve(address(lendingPool), scaledUserDebt);

if (!approveSuccess) revert ApprovalFailed();

// Update lending pool state before liquidation

lendingPool.updateState();

// Call finalizeLiquidation on LendingPool

lendingPool.finalizeLiquidation(userAddress);

emit BorrowerLiquidated(userAddress, scaledUserDebt);

}

This function is in LendingPool.sol:L496. The liquidated NFT will be transferred to the stability pool, however, stability pool does not implement any further logic to handle the received NFTs, therefore they will forever be stuck in this contract.

function finalizeLiquidation(address userAddress) external nonReentrant onlyStabilityPool {

if (!isUnderLiquidation[userAddress]) revert NotUnderLiquidation();

// update state

ReserveLibrary.updateReserveState(reserve, rateData);

if (block.timestamp <= liquidationStartTime[userAddress] + liquidationGracePeriod) {

revert GracePeriodNotExpired();

}

UserData storage user = userData[userAddress];

uint256 userDebt = user.scaledDebtBalance.rayMul(reserve.usageIndex);

isUnderLiquidation[userAddress] = false;

liquidationStartTime[userAddress] = 0;

// Transfer NFTs to Stability Pool

for (uint256 i = 0; i < user.nftTokenIds.length; i++) {

uint256 tokenId = user.nftTokenIds[i];

user.depositedNFTs[tokenId] = false;

raacNFT.transferFrom(address(this), stabilityPool, tokenId); // @audit transfer from LendingPool to StabilityPool

}

delete user.nftTokenIds;

// Burn DebtTokens from the user

(uint256 amountScaled, uint256 newTotalSupply, uint256 amountBurned, uint256 balanceIncrease) = IDebtToken(reserve.reserveDebtTokenAddress).burn(userAddress, userDebt, reserve.usageIndex);

// Transfer reserve assets from Stability Pool to cover the debt

IERC20(reserve.reserveAssetAddress).safeTransferFrom(msg.sender, reserve.reserveRTokenAddress, amountScaled);

// Update user's scaled debt balance

user.scaledDebtBalance -= amountBurned;

reserve.totalUsage = newTotalSupply;

// Update liquidity and interest rates

ReserveLibrary.updateInterestRatesAndLiquidity(reserve, rateData, amountScaled, 0);

emit LiquidationFinalized(stabilityPool, userAddress, userDebt, getUserCollateralValue(userAddress));

}

Impact

Liquidated NFTs stay in the stability pool forever, leading to financial risk for the protocol, as the liquidated assets are usually sold to cover an unhealthy debt.

Tools Used

Manual review

Recommendations

The logic for NFT liquidations is implemented in the out of scope item NFTLiquidator.sol. Ensure that stability pool also implements the necessary integrations with the other contract, so that liquidations can proceed correctly.

function liquidateBorrower(address userAddress) external onlyManagerOrOwner nonReentrant whenNotPaused {

_update();

uint256 userDebt = lendingPool.getUserDebt(userAddress);

uint256 scaledUserDebt = WadRayMath.rayMul(userDebt, lendingPool.getNormalizedDebt()); // think we raymultiply twice

if (userDebt == 0) revert InvalidAmount();

uint256 crvUSDBalance = crvUSDToken.balanceOf(address(this));

if (crvUSDBalance < scaledUserDebt) revert InsufficientBalance();

bool approveSuccess = crvUSDToken.approve(address(lendingPool), scaledUserDebt);

if (!approveSuccess) revert ApprovalFailed();

lendingPool.updateState();

// finalizeLiquidation should return nftData array with tokenID and debt for each NFT

nftData = lendingPool.finalizeLiquidation(userAddress);

// loop through array to initiate liquidation for all NFTs

nftLiquidator.liquidateNFT(tokenId, userDebt)

// loop end

emit BorrowerLiquidated(userAddress, scaledUserDebt);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Liquidated RAACNFTs are sent to the StabilityPool by LendingPool::finalizeLiquidation where they get stuck

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.