Core Contracts

Summary

In the finalizeLiquidation function of the LendingPool contract, NFTs belonging to liquidated users are transferred to the StabilityPool as part of the liquidation process. However, the StabilityPool contract does not implement the IERC721Receiver interface (via importing ERC721Holder or similar). This omission prevents the StabilityPool from accepting NFT transfers via methods such as safeTransferFrom, potentially causing the liquidation process to revert or fail.

Vulnerability Details

1. NFT Transfer in Liquidation Finalization:

   • In the finalizeLiquidation function, the LendingPool transfers each NFT from the liquidated user to the StabilityPool using:

     raacNFT.transferFrom(address(this), stabilityPool, tokenId);

   • Although this code uses transferFrom, many ERC721 implementations (and wallets) enforce safe transfer patterns. In a safe transfer scenario (e.g., using safeTransferFrom), the recipient contract must implement the IERC721Receiver interface to accept the NFT. Without this implementation, the NFT transfer can fail.

2. Missing ERC721Receiver Implementation:

   • The StabilityPool contract does not include:

     import "@openzeppelin/contracts/token/ERC721/utils/ERC721Holder.sol";

   • Without inheriting from ERC721Holder (or implementing onERC721Received directly), the StabilityPool lacks the required callback function:

     function onERC721Received(

     address operator,

     address from,

     uint256 tokenId,

     bytes calldata data

     ) external returns (bytes4);

   • This deficiency means that if the NFT transfer mechanism expects a safe transfer, the StabilityPool contract will reject the incoming NFT, causing the transfer to revert.

Impact

• Failure to Finalize Liquidations:

  • Blocked NFT Transfers: Liquidations rely on transferring NFTs from the LendingPool to the StabilityPool. If the NFT transfer fails, the liquidation process cannot be completed.

  • Stalled Liquidation Process: The inability to transfer NFTs means that liquidated positions may remain unresolved, leaving bad debt unaddressed.

• Undercollateralized Positions Persist:

  • If liquidations cannot be finalized due to transfer failures, borrowers who are undercollateralized remain in a state of limbo. This failure undermines the protocol’s risk management by preventing the recovery of collateral that should cover outstanding debt.

• Systemic Instability and Financial Risk:

  • Liquidations are a critical safety mechanism. When liquidations stall, the protocol may accumulate non-performing loans, leading to an increase in bad debt and potential insolvency risks.

  • The overall health and stability of the lending platform are jeopardized, which could lead to significant financial losses and liquidity crises.

Tools Used

Manual review

Recommendations

1. Implement ERC721Receiver in the StabilityPool:

   • Modify the StabilityPool contract to inherit from ERC721Holder:

     import "@openzeppelin/contracts/token/ERC721/utils/ERC721Holder.sol";

     ​

     contract StabilityPool is ERC721Holder {

     // Contract implementation...

     }

   • Alternatively, implement the onERC721Received function directly to ensure the contract accepts safe NFT transfers.

2. Review NFT Transfer Mechanisms:

   • Ensure that the LendingPool uses the correct NFT transfer method consistent with how the StabilityPool receives NFTs. If the StabilityPool cannot be modified, consider using transferFrom in a manner that does not trigger safe transfer checks.