`borrow()` incorrectly applies `liquidationThreshold` to `totalDebt` instead of `collateralValue`
Summary
Function borrow() in lendingPool implements a require check where it WRONGLY applies liquidation threshold to userDebt instead of collateralValue.
Vulnerability Details
In LendingPool contract, a user can borrow rToken using their NFT collateral. This NFT collateral can be deposited using depositNFT().
The function borrow() implements an important check which validates, whether the user who is trying to borrow rTokens has sufficient collateral(NFT) to cover his total borrowing. SOURCE
This is achieved by comparing the collateralValue assets of the user against his userTotalDebt(which includes his current borrowing + previous borrowing).
However, there is an issue here. The function incorrectly applies the liquidation threshold to userTotalDebt instead of collateralValue which inadvertently allow user to borrow MORE tokens than his collateral value.
The liquidationThreshold should have been applied on the collateralValue instead, in order to properly validate the borrowing.
If userTotalDebt is greater than collateralValue.percentMul(liquidationThreshold),
then the collateral is insufficient to cover the debt, and the statement should revert.
You want to ensure that the debt is within the borrowing power provided by the collateral.
Impact
Users can borrow MORE rToken than their collateral value.
Tools Used
Manual
Recommendations
Consider replacing the check with this one
Lead Judging Commences
LendingPool::borrow as well as withdrawNFT() reverses collateralization check, comparing collateral < debt*0.8 instead of collateral*0.8 > debt, allowing 125% borrowing vs intended 80%
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.