Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

The processing method of finalizeLiquidation function causes the user's NFT assets to be undervalued, leading to losses in the liquidation process

wttt

Summary

The liquidation process allows the Stability Pool to acquire NFTs at potentially undervalued prices without providing fair compensation to the liquidated user. This creates an unfair advantage for the Stability Pool and may lead to user losses.

Vulnerability Details

In the finalizeLiquidation function, when the grace period expires, the Stability Pool takes ownership of the liquidated user's NFTs without an adequate compensation mechanism. The NFTs are transferred directly to the Stability Pool, which may acquire them at a price significantly lower than their fair market value.

for (uint256 i = 0; i < user.nftTokenIds.length; i++) {

uint256 tokenId = user.nftTokenIds[i];

user.depositedNFTs[tokenId] = false;

raacNFT.transferFrom(address(this), stabilityPool, tokenId);

}

delete user.nftTokenIds;

// Burn DebtTokens from the user

(uint256 amountScaled, uint256 newTotalSupply, uint256 amountBurned, uint256 balanceIncrease) = IDebtToken(reserve.reserveDebtTokenAddress).burn(userAddress, userDebt, reserve.usageIndex);

// Transfer reserve assets from Stability Pool to cover the debt

IERC20(reserve.reserveAssetAddress).safeTransferFrom(msg.sender, reserve.reserveRTokenAddress, amountScaled);

The issue arises because there is no mechanism to ensure that the Stability Pool compensates the liquidated user fairly for the seized NFTs. This could be exploited to allow the Stability Pool to acquire high-value NFTs at a discount, leading to a loss for users.

Assumption: User Alice pledges NFT to borrow money

Alice pledges an NFT, and the current market price is 15 ETH.
Alice borrows 10 ETH for trading or other purposes.
Liquidation Threshold = 80%, which means:
The market fluctuates, and the price of Alice's NFT drops from 15 ETH to 11 ETH.
• Recalculate the health factor:
Health factor = 11*0.8/10 = 0.88

Stability Pool gets NFT at a low price

Stability Pool sees Alice trigger liquidation and pays 10 ETH to liquidate the debt.
But the market price of Alice's NFT is now 11 ETH, and Stability Pool only spends 10 ETH to take the NFT.
Alice loses 1 ETH (her NFT is worth 11 ETH, but her debt only offsets 10 ETH).
Stability Pool earned 1 ETH, which is equivalent to buying NFT at a low price.

Impact

Users whose NFTs are liquidated may receive unfairly low compensation.Users may lose confidence in the protocol if liquidations are perceived as unfair.

Tools Used

Manual review

Recommendations

Add premium return mechanism

• Calculate the current market price of NFT (can be provided by oracle or DEX price).

• If the market price is higher than userDebt, return the difference to the user.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.