Incorrect collateralValue and userTotalDebt comparison in borrow function
Summary
Borrow function in LendingPool allows to borrow CRVusd tokens, if user provided enough collateral in NFT. It also takes into account liquidationThreshold
Vulnerability Details
The issue here is that userTotalDebt is multiplied by liquidationThreshold, not the collateralValue.
We're assuming liquidationThreshold at 80%
Someone might have 1000$ in collateral (small numbers for simplicity)
So he should be able to borrow 800$ (1000 * 80%)
But because userTotalDebt is multiplied, he might borrow up to 1250$, which is more than his collateral
Impact
Draining protocol funds, by borrowing more than collateral value. Also user NFTs, might be liqudated right away, but probably this is less important, since borrowed money would value more (he might even buy this NFT later for less).
Tools Used
Manual Review
Recommendations
collateralValue should be multiplied by liquidationThreshold, not userTotalDebt.
Lead Judging Commences
LendingPool::borrow as well as withdrawNFT() reverses collateralization check, comparing collateral < debt*0.8 instead of collateral*0.8 > debt, allowing 125% borrowing vs intended 80%
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.