Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

StabilityPool Cannot Handle NFTs During Liquidation

anomX

Summary

The StabilityPool contract lacks the necessary implementation to receive and handle NFTs during liquidation, despite being the designated recipient of NFTs in the LendingPool's liquidation process. This mismatch can cause liquidations to fail and potentially lock NFTs in the LendingPool.

Vulnerability Details

Source

LendingPool.sol#L517
[StabilityPool.sol])

The LendingPool attempts to transfer NFTs to the StabilityPool during liquidation:

// In LendingPool.sol

for (uint256 i = 0; i < user.nftTokenIds.length; i++) {

uint256 tokenId = user.nftTokenIds[i];

user.depositedNFTs[tokenId] = false;

raacNFT.transferFrom(address(this), stabilityPool, tokenId);

}

However, the StabilityPool contract:

Does not implement ERC721Holder
Has no functionality to handle or manage received NFTs
Lacks methods to distribute or auction liquidated NFTs

Proof of Concept

A user's position in LendingPool becomes liquidatable
The StabilityPool try liquidation through finalizeLiquidation
LendingPool attempts to transfer NFTs to StabilityPool
The transfer fails because StabilityPool cannot receive ERC721 tokens
The entire liquidation transaction reverts
The liquidation cannot be completed, potentially leaving bad debt in the system

Impact

Liquidations involving NFTs will fail
System cannot handle underwater positions properly
NFTs could potentially become locked in the LendingPool
Stability mechanism of the protocol is compromised

Tools Used

Manual code review

Recommendations

Implement ERC721 receiver functionality in StabilityPool:

// In StabilityPool.sol

+ import "@openzeppelin/contracts-upgradeable/token/ERC721/utils/ERC721HolderUpgradeable.sol";

- contract StabilityPool is IStabilityPool, Initializable, ReentrancyGuardUpgradeable, OwnableUpgradeable, PausableUpgradeable {

+ contract StabilityPool is IStabilityPool, Initializable, ReentrancyGuardUpgradeable, OwnableUpgradeable, PausableUpgradeable, ERC721HolderUpgradeable {

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Liquidated RAACNFTs are sent to the StabilityPool by LendingPool::finalizeLiquidation where they get stuck

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!