Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

User is always able to leave his position undercollateralised with the `withdrawNFT` function

kirobrejka

Summary

User is always able to leave his position undercollateralised with the withdrawNFT function. This due to the following check:

if (
collateralValue - nftValue <
userDebt.percentMul(liquidationThreshold)
) {
revert WithdrawalWouldLeaveUserUnderCollateralized();
}

Vulnerability Details

Imagine the following scenario:

  1. Malicious user borrows assets from the rToken contract. He borrows 100k with 120k worth of NFT assets

  2. With the check that is listed above, a user will be able to drop collateral value to 80k, leading to bad debt for the protocol and possibility for the user to use the NFT in other position

This is extremely bad for the protocol as leaves loans with the collateral amount being just 80% of the debt value

Impact

This leads to undercollateralised positions and bad debt for the protocol

Tools Used

Manual review

Recommendations

instead do it like this:

if (
collateralValue - nftValue <
-- userDebt.percentMul(liquidationThreshold)
++ userDebt.percentDiv(liquidationThreshold)
) {
revert WithdrawalWouldLeaveUserUnderCollateralized();
}

This will force the users to be at the proper collateral level

Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::borrow as well as withdrawNFT() reverses collateralization check, comparing collateral < debt*0.8 instead of collateral*0.8 > debt, allowing 125% borrowing vs intended 80%

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.