Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

NFTs can get stuck in the StabilityPool

0xyashar

Summary

NFTs can get stuck in the StabilityPool after liquidation.

Vulnerability Details

After the liquidation's grace period matures, the owner of StabilityPool calls liquidateBorrower to finalize the liquidation.
The liquidateBorrower function will then make a call to finalizeLiquidation on LendingPool.sol:

// Call finalizeLiquidation on LendingPool
lendingPool.finalizeLiquidation(userAddress);

The lending pool transfers the borrower's NFTs to the StabilityPool as part of the liquidation:

// Transfer NFTs to Stability Pool
for (uint256 i = 0; i < user.nftTokenIds.length; i++) {
uint256 tokenId = user.nftTokenIds[i];
user.depositedNFTs[tokenId] = false;
raacNFT.transferFrom(address(this), stabilityPool, tokenId);
}
delete user.nftTokenIds;

The problem is that there are no functions inside the StabilityPool to manage the received NFTs (such as transferring them out or performing other actions). As a result, the NFTs will get stuck in the StabilityPool, essentially rendering them inaccessible.

Impact

NFTs will become stuck and inaccessible.

Tools Used

Manual Review

Recommendations

Define a mechanism to allow retrieval of NFTs from the StabilityPool.

Updates

Lead Judging Commences

inallhonesty Lead Judge 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Liquidated RAACNFTs are sent to the StabilityPool by LendingPool::finalizeLiquidation where they get stuck

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.