Core Contracts

Summary

Vulnerability Details

If a user deposits an NFT into the LendingPool, they can borrow reserve assets using that NFT as collateral. If the collateral value drops, the user may be liquidated by calling initiateLiquidation, which sets isUnderLiquidation[userAddress] to true. If the user fails to repay their debt and close the liquidation within the grace period, and repays their loan after the grace period has expired, they lose their NFT.

In this situation, the NFT becomes permanently stuck in the LendingPool because isUnderLiquidation[userAddress] remains true, preventing the user from calling withdrawNFT or borrowing and in the StabilityPool the Manager or Owner cannot finalize liquidation it reverts with InvalidAmount() because userDebt is zero.

Poc

• Once a user's health factor drops below the threshold, anyone can initiate liquidation, setting isUnderLiquidation[user] = true.

• The user has a window to repay their debt and call closeLiquidation. After this period, the StabilityPool can finalize the liquidation.

• If the user repays after the grace period and before the finalize, their debt becomes zero but isUnderLiquidation remain true . The StabilityPool's attempt to finalize liquidation fails due to the zero debt check, leaving isUnderLiquidation active.

• With isUnderLiquidation still true, the user cannot withdraw NFTs or borrow, and the protocol cannot resolve the state, resulting in permanent NFT loss.

Impact

NFTs permanently lock in the LendingPool.

Tools Used

Recommendations

Modify the repay function to automatically reset isUnderLiquidation if the debt is fully repaid, regardless of the grace period or lock the repay function after the grace period .