Core Contracts

Impact

Medium to Low (No specific Loss of funds but rather DOS)

Likelihood

High

Description

LendingPool.sol provides functionality for the lending, borrowing and repayment of the loan on the basis of Collateralized NFT, if the user is unable to pay back the loan in the gracePeriod, He will be liquidated by calling the function finalizeLiquidation(). However the problem arises when the following line is executed in the function

The above line iterates over userNfts array, which contains the token id of the RAAC nfts, However keep in mind that the all NFTs would not have same price as other. In this case the person can take a Loan with just 1 NFT (The Most expensive one). and then fill the Array with cheap NFTs, potentially DOSing the finalizeLiquation() function for himself.

Example

=> Bob the Malicious user, gets a loan against an NFT which is Significantly expensive than other NFTs.(20 ETHER)
=> Now he deposits cheaper NFTs to fill the array (0.001 ETH) which will make the user.TokenIds.length extremely big.
=> The function for the User Bob will run out of gas because of size of the array

Note => The user will still be able to with his NFT which was worth 20 ether, after the repayment of the loan because the implementation of the withdrawNft() function is as follows

Tools used

Manual Analysis

Mitigation

Tracking and seperation of the collateralised NFTs.