Inability to Handle NFTs in Stability Pool After Liquidation
Summary
The finalizeLiquidation function in the LendingPool contract transfers NFTs to the Stability Pool during liquidation. However, the StabilityPool.sol contract lacks functionality to manage or transfer out these NFTs, leading to potential asset lockup and protocol inefficiencies.
Vulnerability Details
Explanation
The finalizeLiquidation function is designed to handle the liquidation process for a user who has defaulted on their debt. During this process, liquidateBorrower is called from the StabilityPool contract, which calls finalizeLiquidation, the user's NFTs are transferred to the Stability Pool as part of the collateral recovery mechanism. However, the Stability Pool contract does not have any functionality to manage or transfer these NFTs after they are received. This creates a critical issue where NFTs are effectively locked in the Stability Pool, rendering them inaccessible and unusable.
Root Cause in the Contract Function
In the finalizeLiquidation function, the following code transfers NFTs to the Stability Pool:
While this code successfully transfers the NFTs to the Stability Pool, the Stability Pool contract does not implement any mechanism to:
Store or track the received NFTs.
Transfer or redistribute the NFTs to other users or back to the protocol.
Sell or liquidate the NFTs to recover value for the protocol.
This oversight results in NFTs being permanently locked in the Stability Pool, leading to:
Loss of Value: The protocol cannot recover or utilize the value of the locked NFTs.
Inefficient Asset Management: The Stability Pool becomes a dead end for NFTs, reducing the overall efficiency of the liquidation process.
Proof of Concept
Scenario Example
User Defaults: A user defaults on their debt, triggering the liquidation process.
NFTs Transferred to Stability Pool: The
StabilityPool::liquidateBorroweris called, which then callsLendingPool::finalizeLiquidationfunction that transfers the user's NFTs to the Stability Pool.NFTs Locked: The Stability Pool has no functionality to manage or transfer the NFTs, causing them to be permanently locked.
Code
The vulnerability is demonstrated in the finalizeLiquidation function:
This code transfers NFTs to the Stability Pool but does not address how the Stability Pool will handle them afterward.
Impact
Asset Lockup: NFTs transferred to the Stability Pool are permanently locked, leading to a loss of value for the protocol.
Financial Loss: The protocol cannot recover the value of locked NFTs, leading to potential financial losses.
Tools Used
Manual Code Review: The vulnerability was identified through a manual review of the
finalizeLiquidationfunction and theStabilityPool.solcontract.Solidity: The smart contract language used to write the
LendingPoolandStabilityPoolcontracts.
Recommendations
Implement NFT Management in Stability Pool:
Add functionality to the Stability Pool contract to store, track, and manage NFTs received during liquidation.
Implement functions to transfer or redistribute NFTs to other users, or sell or back to the protocol.
Example:
Lead Judging Commences
Liquidated RAACNFTs are sent to the StabilityPool by LendingPool::finalizeLiquidation where they get stuck
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.