NFT sent to stability pool will be stuck
Summary
The Stability Pool contract is supposed to receive NFT after liquidateBorrower is called by the owner or manager but the contract does not implement the onERC721Received function, which is required for receiving ERC-721 tokens. Additionally, the contract lacks a function to withdraw NFTs, meaning any NFTs sent to the contract are permanently stuck.
Vulnerability Details
The contract does not include the onERC721Received function, which is required by the ERC-721 standard for receiving NFTs. If an NFT is sent to the contract, the transfer will fail unless the sender is a contract that does not enforce checks (e.g., manually transferring via transferFrom).
Once an NFT is sent to the Stability Pool, there is no function to recover or withdraw it.
Impact
NFTs sent to the stability contract will be stuck, and the protocol cannot transfer it.
Tools Used
Manual Review
Recommendations
Implement onERC721Received to accept ERC-721 tokens
Add a Function to Withdraw NFTs
Lead Judging Commences
Liquidated RAACNFTs are sent to the StabilityPool by LendingPool::finalizeLiquidation where they get stuck
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.