Incorrect Collateralization Check in withdrawNFT and borrow Functions
Summary
The withdrawNFT and borrow functions in the contract incorrectly apply the liquidation threshold to the debt instead of the collateral. This allows users to borrow more than their collateral should permit, leading to potential bad debt for the protocol. The correct logic should ensure that the collateral value is at least 125% of the debt (for an 80% liquidation threshold), but the current implementation allows users to borrow up to 100% of their collateral value, which is unsafe.
Vulnerability Details
The withdrawNFT and borrow functions checks:
This checks if the remaining collateral (
collateralValue - nftValue) is less than 80% of the debt (userDebt.percentMul(liquidationThreshold)).This is backward because it allows the collateral to be less than the debt, which is unsafe.
Impact
Users can borrow more than their collateral should permit, increasing the risk of bad debt.
Tools Used
Manual
Recommendations
Apply liquidationThreshold on colleteral
Lead Judging Commences
LendingPool::borrow as well as withdrawNFT() reverses collateralization check, comparing collateral < debt*0.8 instead of collateral*0.8 > debt, allowing 125% borrowing vs intended 80%
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.