Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Protocol insolvency risk due to incorrect liquidation threshold calculation allowing users to borrow beyond collateral value

0xekkoo

Summary

The LendingPool's borrow function incorrectly applies the liquidation threshold to the debt amount instead of the collateral value, allowing users to borrow more than their collateral can safely secure.

Vulnerability Details

In the LendingPool contract, the collateral check in the borrow function is implemented incorrectly:

function borrow(uint256 amount) external nonReentrant whenNotPaused onlyValidAmount(amount) {
// .. other checks ..
.
.
if (collateralValue < userTotalDebt.percentMul(liquidationThreshold)) {
revert NotEnoughCollateralToBorrow();
}

This is wrong because the threshold should be based on the collateralValue not the userTotalDebt.

Example Scenario:

  • collateralValue = 1000

  • liquidationThreshold = 80%

  • userTotalDebt = 1200

1000 < ( 1200 * 80% ) = 1000 < 960 = false. (doesn't revert)

After borrow:
collateralValue = 1000
userTotalDebt = 1200

Impact

Users can borrow more than their collateral value, exposing the protocol to insolvency risk through accumulated bad debt.

Tools Used

Manual Review

Recommendations

Correct the liquidation threshold check to apply to collateral value

- if (collateralValue < userTotalDebt.percentMul(liquidationThreshold)) {
+ if (userTotalDebt > collateralValue.percentMul(liquidationThreshold)) {
revert NotEnoughCollateralToBorrow();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::borrow as well as withdrawNFT() reverses collateralization check, comparing collateral < debt*0.8 instead of collateral*0.8 > debt, allowing 125% borrowing vs intended 80%

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!