Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Liquidated NFT will be locked in the StabilityPool

x1485967

Summary

Liquidated NFT will be locked in the StabilityPool

Vulnerability Details

When the borrower's position is unhealthy, we can liquidate this borrower's position via liquidateBorrower(). In function finalizeLiquidation(), we will transfer the borrower's NFTs to the stability pool.

The problem is that there is not one interface in stability pool to transfer these NFTs out of the stability pool.

According to current design, these NFTs are expected to transfer to NFTLiquidator contract to sell via auction. But we miss the implementation to trigger NFTLiquidator::liquidateNFT().

function liquidateBorrower(address userAddress) external onlyManagerOrOwner nonReentrant whenNotPaused {
lendingPool.finalizeLiquidation(userAddress);
}
function finalizeLiquidation(address userAddress) external nonReentrant onlyStabilityPool {
...
for (uint256 i = 0; i < user.nftTokenIds.length; i++) {
uint256 tokenId = user.nftTokenIds[i];
user.depositedNFTs[tokenId] = false;
raacNFT.transferFrom(address(this), stabilityPool, tokenId);
}
...
}

Impact

Liquidated NFTs will be locked in the stability pool contract.

Tools Used

Manual

Recommendations

Add one interface in stability pool to process the liquidated NFTs.

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Liquidated RAACNFTs are sent to the StabilityPool by LendingPool::finalizeLiquidation where they get stuck

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.