Core Contracts

Summary

The withdrawNFT and borrow functions in the lendingPool contract suffer from inconsistent decimal precision when comparing collateralValue, nftValue and userDebt. This issue arises because collateralValue and nftValue are derived from the NFT oracle which uses a varying decimal precision while userDebt uses token decimals. The mismatch in decimal scaling can lead to incorrect undercollateralization checks allowing users to withdraw NFTs or borrow funds when undercollateralized or preventing them from doing so even when sufficiently collateralized.

Vulnerability Details

collateralValue and nftValue are derived from the NFT oracle (getNFTPrice) which may use variable decimal precision (e.g., 6, 8, or 18 decimals).
userDebt is in the token precision. This variability is not accounted for in the comparison logic in both withdrawNFT and borrow

The comparison collateralValue - nftValue < userDebt.percentMul(liquidationThreshold) assumes that all values are in the same decimal format.

In withdrawNFT function:

and borrow function:

If collateralValue and nftValue are in a different precision than userDebt, the comparison will be incorrect leading to potential undercollateralization or overcollateralization issues

Impact

Users may be allowed to withdraw NFTs or borrow funds even when they are undercollateralized leading to bad debt for the protocol.

Users may be unfairly restricted from withdrawing NFTs or borrowing funds even when they are sufficiently collateralized leading to user dissatisfaction.

Tools Used

Manual code Review

Recommendations

Convert all values to the same decimal format before performing comparisons. For example, normalize collateralValue and nftValue to the native token precision (e.g., 18 decimals).