Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

User can borrow funds for 80% of his debt in `LendingPool`

kirobrejka

Summary

This happens due to the following block of code in the LendingPool::borrow function:

function borrow(

uint256 amount

) external nonReentrant whenNotPaused onlyValidAmount(amount) {

if (isUnderLiquidation[msg.sender])

revert CannotBorrowUnderLiquidation();

UserData storage user = userData[msg.sender];

uint256 collateralValue = getUserCollateralValue(msg.sender);

if (collateralValue == 0) revert NoCollateral();

// Update reserve state before borrowing

ReserveLibrary.updateReserveState(reserve, rateData);

// Ensure sufficient liquidity is available

_ensureLiquidity(amount);

// Fetch user's total debt after borrowing

uint256 userTotalDebt = user.scaledDebtBalance.rayMul(

reserve.usageIndex

) + amount;

// Ensure the user has enough collateral to cover the new debt

@> if (collateralValue < userTotalDebt.percentMul(liquidationThreshold)) {

@> revert NotEnoughCollateralToBorrow();

}

Vulnerability Details

Imagine the following scenario:

User deposit an NFT that is worth 80k to the LendingPool contract.
Due to the check listed above, he is able to get 100k of crvUSD

This is extremely bad for the protocol since it creates bad debt and even if the user gets liquidated, he is on 20k crvUSD profit for this exchange

Impact

User leaves the protocol with bad debt and receives profit from doing so

Tools Used

Manual review

Recommendations

Change the highlighted check as it follows:

-- if (collateralValue < userTotalDebt.percentMul(liquidationThreshold)) {

++ if (collateralValue < userTotalDebt.percentDiv(liquidationThreshold)) {

revert NotEnoughCollateralToBorrow();

}

This change will lead to users maintaining the proper collateral value

Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

LendingPool::borrow as well as withdrawNFT() reverses collateralization check, comparing collateral < debt0.8 instead of collateral0.8 > debt, allowing 125% borrowing vs intended 80%

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.