Incorrect collateral and debt value comparison made
Summary
A comparison is made between a user's collateral and debt valuation meanwhile they will have different token decimals and no normalization is done.
Vulnerability Details
If a user attempts to withdraw their NFT from the protocol, a check is put in place to ensure the user's collateral is still above the liquidation threshold after the withrawal is made:
The NFT collateral value is retrieved from the RAACHousePrices contract and is posted in USD.
The user debt value is in RToken which is always 18 decimals. The collateral value which is expressed in USDC/USDT, will be 6 decimals on mainnet and could be 18 decimals on some chains like BNB. Since no decimal normalization and adjustment is made to either of the 2 values, this check will just not work due to comparing valuation of tokens with 6 vs 18 decimals.
Impact
Completely incorrect comparison of collateral and debt values due to difference in token decimals and no decimal normalization done which will lead to unfair liquidations, permanently stuck NFTs etc.
Tools Used
Manual Review
Recommendations
Normalize the decimals of either of the tokens before comparison is made.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.