Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Users can deposit NFTs in the liquidation state to evade liquidation, causing losses to the liquidator and system injustice

wttt

Summary

smart contract system where users who are under liquidation are allowed to deposit NFTs. This creates an opportunity for users to manipulate their position in the liquidation process, which may delay or prevent the liquidation, unfairly protect their assets, and ultimately disrupt the fairness and efficiency of the liquidation mechanism.

Vulnerability Details

struct UserData {
uint256 scaledDebtBalance;
uint256[] nftTokenIds;
mapping(uint256 => bool) depositedNFTs;
bool underLiquidation;
uint256 liquidationStartTime;
}
function depositNFT(uint256 tokenId) external nonReentrant whenNotPaused {
// update state
ReserveLibrary.updateReserveState(reserve, rateData);
if (raacNFT.ownerOf(tokenId) != msg.sender) revert NotOwnerOfNFT();
UserData storage user = userData[msg.sender];
if (user.depositedNFTs[tokenId]) revert NFTAlreadyDeposited();
user.nftTokenIds.push(tokenId);
user.depositedNFTs[tokenId] = true;
raacNFT.safeTransferFrom(msg.sender, address(this), tokenId);
emit NFTDeposited(msg.sender, tokenId);
}

When users deposit NFTs, they do not consider the underLiquidation of UserData. This problem can cause losses to the interests of liquidators and can continue to undermine the normal operation of the entire system.

• When a user is about to be liquidated, he can temporarily deposit a low-value NFT to increase the collateral value and reduce the LTV (loan-to-value ratio) to avoid liquidation.

• This is equivalent to a "cheating" method. Users can adjust their collateral at will, delay liquidation, and affect the debt recovery of the protocol.

Example:

• Alice pledged an NFT worth 10 ETH, borrowed 8 ETH, and LTV = 80% (just triggered the liquidation threshold).

• The market fell, the value of the NFT became 9 ETH, and the LTV became 88.9%, which should have been liquidated.

• Alice immediately deposited an NFT worth 1 ETH, the total collateral became 10 ETH, and the LTV dropped to 80%, avoiding liquidation.

• After that, Alice continued to deposit low-liquidity NFTs, constantly raising the collateral value, and repeatedly delaying liquidation.

• As a liquidator, Bob plans to liquidate Alice's NFT to recover the 8 ETH debt.

• Alice suddenly deposited 3 low-liquidity NFTs before liquidation, which made Bob unable to cash out quickly and eventually gave up liquidation.

Result: Alice successfully evaded liquidation, Bob wasted gas fees in vain, and affected the enthusiasm of liquidators.

Impact

Users can evade liquidation and maliciously delay debt repayment, which will cause losses to the interests of liquidators and lead to a state of distrust in the entire system.

Tools Used

Manual review

Recommendations

Restrict liquidation users from depositing NFTs. Rules: When a user enters the liquidation state, it is prohibited to deposit NFTs.

function depositNFT(uint256 tokenId) external nonReentrant whenNotPaused {
// update state
ReserveLibrary.updateReserveState(reserve, rateData);
if (raacNFT.ownerOf(tokenId) != msg.sender) revert NotOwnerOfNFT();
UserData storage user = userData[msg.sender];
//Restrict liquidation users from depositing NFT
if (user.underLiquidation) revert ();
if (user.depositedNFTs[tokenId]) revert NFTAlreadyDeposited();
user.nftTokenIds.push(tokenId);
user.depositedNFTs[tokenId] = true;
raacNFT.safeTransferFrom(msg.sender, address(this), tokenId);
emit NFTDeposited(msg.sender, tokenId);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!