Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Incorrect health check in withdrawNFT & borrow

x1485967

Summary

We make the incorrect health check in withdrawNFT().

Vulnerability Details

In LendingPool, borrowers can choose to withdraw one NFT from his collateral NFTs. No matter which NFT is withdrawn, we need to make sure that we have enough collateral value to cover the debt.

The problem is that we make the incorrect health check. Let's assume the liquidationThreshold is the default value: 8000. Then we should make sure that left collateral value * 80% >= userDebt. But current implementation is that this transaction can work well if the left collateral value >= 80% * userDebt.

The same issue happens in borrow() function. Users can use 800 collateral value to borrow 1000 Debt. This will steal funds from the Lending pool.

function withdrawNFT(uint256 tokenId) external nonReentrant whenNotPaused {
if (collateralValue - nftValue < userDebt.percentMul(liquidationThreshold)) {
revert WithdrawalWouldLeaveUserUnderCollateralized();
}
...
}
function borrow(uint256 amount) external nonReentrant whenNotPaused onlyValidAmount(amount) {
if (collateralValue < userTotalDebt.percentMul(liquidationThreshold)) {
revert NotEnoughCollateralToBorrow();
}
}

Impact

Malicious borrowers can steal funds from the LendingPool.

Tools Used

Manual

Recommendations

Correct the health check in borrow()/withdrawNFT(), collateralValue * 80% >= userDebt

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::borrow as well as withdrawNFT() reverses collateralization check, comparing collateral < debt*0.8 instead of collateral*0.8 > debt, allowing 125% borrowing vs intended 80%

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.