Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

RAAC NFT tokens transferred to the stability pool during liquidation are stuck forever.

tadev

Summary

liquidateBorrower function in the StabilityPool contract allows the stability pool to handle liquidations in the lending pool in case no one liquidated the position before.

When the stability pool takes care of liquidation, it ultimately calls finalizeLiquidation function in the lending pool, with the following lines of code executed:

for (uint256 i = 0; i < user.nftTokenIds.length; i++) {
uint256 tokenId = user.nftTokenIds[i];
user.depositedNFTs[tokenId] = false;
// @audit HIGH: raacNFT transfered to stability pool are stuck in the contract
raacNFT.transferFrom(address(this), stabilityPool, tokenId);
}

This means the RAACNFTs that are liquidated are transferred from the lending pool to the stability pool.

The problem arises because the stability pool doesn't include any mechanism to transfer such NFTs, leading to these NFTs being stuck forever in the contract.

Impact

The impact of this vulnerability is high as it leads to systematic lock of RAAC NFTs in the stability pool contract during liquidations that are executed by the stability pool through liquidateBorrower.

Tools Used

Manual review

Recommendations

Make sure to implement a feature in the stability pool contract that allows to transfer RAAC NFTs from the stability pool contract to another address.

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Liquidated RAACNFTs are sent to the StabilityPool by LendingPool::finalizeLiquidation where they get stuck

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.