Over-Seizure of NFT Collateral During Liquidation
01. Relevant GitHub Links
02. Summary
When the LendingPool contract initiates liquidation, it seizes all of the user’s deposited NFTs rather than only the portion necessary to cover the outstanding debt. This can cause excessive loss for users because they forfeit the entire NFT collateral set, even if only a fraction is needed to repay the debt plus any associated liquidation bonus.
03. Vulnerability Details
Upon calling finalizeLiquidation(), the contract transfers all NFTs from the liquidated user to the Stability Pool:
This design does not account for the user’s remaining equity once the borrowed amount and any fees are covered. If a user has multiple valuable NFTs, the protocol seizes them entirely rather than just enough to cover the debt plus liquidation costs.
04. Impact
Users risk losing all NFTs deposited as collateral, which can be significantly more valuable than their outstanding debt.
05. Tools Used
Manual Code Review and Foundry
06. Recommended Mitigation
Only seize enough NFT collateral to cover the outstanding debt and a reasonable liquidation bonus. Avoid automatically transferring all NFTs, which leads to over-seizure of user assets.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.