Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Function `withdrawNFT()` wrongly applies `liquidationThreshold` to `userDebt`

sunless_

Summary

In lendingPool, function withdrawNFT() incorrectly applies the liquidation threshold to userDebt, which reduces it to a LOWER value.

This results in a wrong comparison and leaves the total Collateral of user UnderCollateralized

Vulnerability Details

Users can withdraw their NFT collateral using withdraw()

There is a validation check which ensures that the total NFT collaterals(collateralValue - nftValue), is sufficient to cover the userDebt

However, there is an issue in how it is being implemented i.e. withdrawNFT()

if (collateralValue - nftValue < userDebt.percentMul(liquidationThreshold)) {
revert WithdrawalWouldLeaveUserUnderCollateralized();
}

Notice that we are applying liquidationThreshold to userDebt , this results in comparison with a much lower Debt, which is completely wrong.

We should be applying the liquidationThreshold to the difference between collateralValue and nftValue , which would ensure that the collateral is not left underCollateralized.

Impact

Users will be able to withdraw NFTs even when the Collateral is insufficient to cover the whole userDebt.

Tools Used

Manual

Recommendations

Consider doing this instead:

uint256 diffference = collateralValue - nftValue;
if (diffference.percentMul(liquidationThreshold) < userDebt) {
revert WithdrawalWouldLeaveUserUnderCollateralized();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::borrow as well as withdrawNFT() reverses collateralization check, comparing collateral < debt*0.8 instead of collateral*0.8 > debt, allowing 125% borrowing vs intended 80%

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.