`LendingPool::withdrawNFT()` assumes a 1:1 ratio between `crvUSD` and USD
Summary
LendingPool::withdrawNFT() assumes a 1:1 ratio between crvUSD and USD which can result in bad debt for the protocol
Vulnerability Details
To get an NFT price in LendingPool, we call RAACHousePrices::getLatestPrice() which returns the following:
This returns the USD price of a house, as written in a comment in the contract:
Then, we have the following code to determine whether a user is leaving himself undercollateralized during a collateral (NFT) withdrawal:
The user's debt is in the crvUSD token which is being compared to the USD price. Essentially, this is an assumption that the debt token and USD are in a ratio of 1:1 which is not necessarily the case. If we take a look at the Coinmarketcap page of the token, we will see that the ATH of the token is 1.16$ and its ATL is 0.9775$. If the user has 100 tokens of debt at the ATH prices, then instead of 100$ of debt, the user would actually have 116$ which would make the check incorrect as we are assuming his debt is worth 100$. Then, the user can get away with providing much less collateral and leave the protocol in bad debt.
Impact
Users can have undercollateralized accounts which will lead to bad debt for the protocol
Tools Used
Manual Review
Recommendations
Do not assume a 1:1 ratio between a stablecoin and USD
Lead Judging Commences
Protocol assumes 1 CRVUSD = 1 USD without using a price oracle, risking incorrect liquidations or other inacurate accounting if the stablecoin depegs
Protocol assumes 1 CRVUSD = 1 USD without using a price oracle, risking incorrect liquidations or other inacurate accounting if the stablecoin depegs
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.