Summary
In the borrowing logic due to an incorrectly set liquidation threshold. The threshold is set too low (80%), allowing users to borrow more than their collateral's value. This results in undercollateralized
positions immediately after borrowing, exposing the protocol to the risk of bad debt and enabling immediate liquidations.
Vulnerability Details
The borrow function in the LendingPool contract checks if the user's collateral value is sufficient to cover the new debt using the formula:
function borrow(uint256 amount) external nonReentrant whenNotPaused onlyValidAmount(amount) {
if (isUnderLiquidation[msg.sender]) revert CannotBorrowUnderLiquidation();
UserData storage user = userData[msg.sender];
uint256 collateralValue = getUserCollateralValue(msg.sender);
if (collateralValue == 0) revert NoCollateral();
ReserveLibrary.updateReserveState(reserve, rateData);
_ensureLiquidity(amount);
uint256 userTotalDebt = user.scaledDebtBalance.rayMul(reserve.usageIndex) + amount;
@>> if (collateralValue < userTotalDebt.percentMul(liquidationThreshold)) {
@>> revert NotEnoughCollateralToBorrow();
@>> }
uint256 scaledAmount = amount.rayDiv(reserve.usageIndex);
(bool isFirstMint, uint256 amountMinted, uint256 newTotalSupply) = IDebtToken(reserve.reserveDebtTokenAddress).mint(msg.sender, msg.sender, amount, reserve.usageIndex);
IRToken(reserve.reserveRTokenAddress).transferAsset(msg.sender, amount);
user.scaledDebtBalance += scaledAmount;
reserve.totalUsage = newTotalSupply;
ReserveLibrary.updateInterestRatesAndLiquidity(reserve, rateData, 0, amount);
_rebalanceLiquidity();
emit Borrow(msg.sender, amount);
}
The liquidationThreshold
is initialized to 80% (BASE_LIQUIDATION_THRESHOLD = 80 * 1e2
). This setup allows the debt to exceed the collateral value, as the calculation effectively permits the debt to be up to 125% of the collateral (since 80% of 125% equals 100%). Consequently, users can borrow amounts that leave their positions undercollateralized from the start, making them immediately eligible for liquidation and risking the protocol's solvency.
POC
The following Hardhat test demonstrates the issue:
describe("LendingPool Borrow Threshold Vulnerability", () => {
let lendingPool, reserveAsset, raacNFT, user;
const NFT_VALUE = ethers.utils.parseEther("100");
const BORROW_AMOUNT = ethers.utils.parseEther("125");
before(async () => {
[user] = await ethers.getSigners();
const ERC20Mock = await ethers.getContractFactory("ERC20Mock");
reserveAsset = await ERC20Mock.deploy("crvUSD", "crvUSD", 18);
const RAACNFT = await ethers.getContractFactory("RAACNFTMock");
raacNFT = await RAACNFT.deploy();
const LendingPool = await ethers.getContractFactory("LendingPool");
lendingPool = await LendingPool.deploy(
reserveAsset.address,
ethers.constants.AddressZero,
ethers.constants.AddressZero,
raacNFT.address,
user.address,
1e27
);
await raacNFT.mint(user.address, 1);
await lendingPool.connect(user).depositNFT(1);
});
it("Allows dangerous borrowing at 125% collateralization", async () => {
await lendingPool.connect(user).borrow(BORROW_AMOUNT);
const healthFactor = await lendingPool.calculateHealthFactor(user.address);
expect(healthFactor).to.be.lt(ethers.utils.parseEther("1"));
await lendingPool.initiateLiquidation(user.address);
expect(await lendingPool.isUnderLiquidation(user.address)).to.be.true;
});
});
Key Value Flow:
1. Collateral Value: 100 ETH
2. Liquidation Threshold: 80% (0.8)
3. Allowed Debt Calculation: 100 ETH / 0.8 = 125 ETH
4. Actual Borrowed Amount: 125 ETH
5. Resulting Health Factor: (100 * 0.8) / 125 = 0.64 (<1.0)
Impact
This issue allows users to create undercollateralized
loans, leading to immediate liquidations. Over time, this can result in significant bad debt accumulation if collateral values decrease, threatening the protocol's financial stability. Attackers could exploit this to intentionally create risky positions, draining protocol reserves during liquidations.
Tools Used
Manual Review
Recommendations
-
Adjust Liquidation Threshold:
Set BASE_LIQUIDATION_THRESHOLD
to a safer value like 125% (125 * 1e2) to ensure collateral covers debt with a buffer:
uint256 public constant BASE_LIQUIDATION_THRESHOLD = 125 * 1e2;
-
Revise Collateral Check Logic:
Ensure the formula properly represents the collateral-to-debt ratio. The correct check should enforce:
collateralValue >= userTotalDebt.percentDiv(liquidationThreshold)
Where percentDiv
divides by the threshold percentage to calculate minimum required collateral.