Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

User will be liquidated more than borrowed

z3nithpu1se

Likelihood

High

Impact

High (Loss of User NFTs)

Condition :

=> When User Deposits more NFTs after someone calls initiateLiquidation()

Description

Liquidation is the process of recovering the funds lost in lending to the user, it happens by Transferring the User's deposited NFT to the stability pool. However, the problem arises when the user has more collateral than the borrowed amount.

if (block.timestamp <= liquidationStartTime[userAddress] + liquidationGracePeriod) {
revert GracePeriodNotExpired();
}
UserData storage user = userData[userAddress];
uint256 userDebt = user.scaledDebtBalance.rayMul(reserve.usageIndex);
isUnderLiquidation[userAddress] = false;
liquidationStartTime[userAddress] = 0;
// Transfer NFTs to Stability Pool
@> for (uint256 i = 0; i < user.nftTokenIds.length; i++) {
uint256 tokenId = user.nftTokenIds[i];
user.depositedNFTs[tokenId] = false;
raacNFT.transferFrom(address(this), stabilityPool, tokenId);
}
delete user.nftTokenIds;

By this the User would Lose all the NFTs. The user.nftTokenIds not only have the NFT upon which the calculation of Health factor is done but also the Newly added NFT. Any malicious actor can see that the an innocent user has added new NFT during his Grace period and can call this function, making the owner lose everything.

Mitigation

Tracking of the NFTs upon which the calculation of health factor is done and then only liquidated them.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Users can deposit NFTs using LendingPool::depositNFT while under liquidation, leading to unfair liquidation of NFTs that weren't part of original position

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.