Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Infinite Borrowing via Collateral Reuse

bareli

Summary

attackers can deposit NFTs, borrow max funds, and transfer funds externally before price updates.

They can then repay when the price drops, leading to unfair profit loops.

Vulnerability Details

function borrow(uint256 amount) external nonReentrant whenNotPaused onlyValidAmount(amount) {

if (isUnderLiquidation\[msg.sender]) revert CannotBorrowUnderLiquidation();

UserData storage user = userData[msg.sender];

uint256 collateralValue = getUserCollateralValue(msg.sender);

if (collateralValue == 0) revert NoCollateral();

// Update reserve state before borrowing

ReserveLibrary.updateReserveState(reserve, rateData);

// Ensure sufficient liquidity is available

_ensureLiquidity(amount);

// Fetch user's total debt after borrowing

uint256 userTotalDebt = user.scaledDebtBalance.rayMul(reserve.usageIndex) + amount;

// Ensure the user has enough collateral to cover the new debt

if (collateralValue < userTotalDebt.percentMul(liquidationThreshold)) {

revert NotEnoughCollateralToBorrow();

}

// Update user's scaled debt balance

uint256 scaledAmount = amount.rayDiv(reserve.usageIndex);

// Mint DebtTokens to the user (scaled amount)

(bool isFirstMint, uint256 amountMinted, uint256 newTotalSupply) = IDebtToken(reserve.reserveDebtTokenAddress).mint(msg.sender, msg.sender, amount, reserve.usageIndex);

// Transfer borrowed amount to user

IRToken(reserve.reserveRTokenAddress).transferAsset(msg.sender, amount);

user.scaledDebtBalance += scaledAmount;

// reserve.totalUsage += amount;

reserve.totalUsage = newTotalSupply;

// Update liquidity and interest rates

ReserveLibrary.updateInterestRatesAndLiquidity(reserve, rateData, 0, amount);

// Rebalance liquidity after borrowing

_rebalanceLiquidity();

emit Borrow(msg.sender, amount);

}

Impact

Tools Used

Recommendations

Implement a cooldown period for borrowing after repayment.

Limit borrowing frequency per block.

mapping(address => uint256) public lastBorrowTimestamp;

uint256 public constant BORROW_COOLDOWN = 10 minutes;

function borrow(uint256 amount) external nonReentrant whenNotPaused

{ require(block.timestamp > lastBorrowTimestamp[msg.sender] + BORROW_COOLDOWN, "Borrow cooldown active");

lastBorrowTimestamp[msg.sender] = block.timestamp; // Borrow logic }

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Too generic

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.