Incorrect Collateral Validation Allows Users to Borrow Beyond Intended Limits
Summary
The borrow function in the lending Pool contains a critical vulnerability where the liquidation threshold is incorrectly applied to the debt amount instead of the collateral value. This inversion allows users to borrow amounts far exceeding safe limits relative to their collateral, exposing the protocol to insolvency risks .
https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/pools/LendingPool/LendingPool.sol
Problematic Implementation
Vulnerability Details
This issue arises from the incorrect mathematical relationship between collateral and debt, which results in users being able to borrow significantly more than their collateral should allow. Example ;
Collateral = $200 (e.g., ETH)
Liquidation Threshold: 80%
Current Code Permits: Debt up to 250 (200 × 100 / 80 = 250).
Correct Limit: 160 (200 × 80 / 100 = 160).
Risk: If ETH drops 20% (200→160), the protocol cannot liquidate the debt, resulting in $90 (250−160) of bad debt.
Impact
Protocol Insolvency: Overborrowing leaves the protocol undercollateralized. A market downturn could render large debts unbacked.
Tools Used
Manual review
Recommendations
Apply the liquidation threshold to the collateral value, not the debt:
Lead Judging Commences
LendingPool::borrow as well as withdrawNFT() reverses collateralization check, comparing collateral < debt*0.8 instead of collateral*0.8 > debt, allowing 125% borrowing vs intended 80%
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.