Users can withdraw NFTs beyond safe collateral ratio due to incorrect liquidation threshold calculation
Summary
The LendingPool's withdrawNFT function incorrectly applies the liquidation threshold to the debt amount instead of the remaining collateral value, allowing users to withdraw NFTs that should be locked as collateral.
Vulnerability Details
In the LendingPool contract, the collateral check in the withdrawNFT function is implemented incorrectly:
This is wrong because the threshold should be based on the collateralValue not the userTotalDebt.
Example Scenario:
collateralValue = 1000
nftValue = 200
liquidationThreshold = 80%
userTotalDebt = 1000
1000 - 200 < ( 1000* 80% ) = 800 < 800 = false (doesn't revert)
After Withdraw:
collateralValue = 800
userTotalDebt = 1000
Impact
Users can withdraw NFTs beyond their safe collateral threshold, enabling them to extract value while maintaining bad debt and risking protocol insolvency.
Tools Used
Manual Review
Recommendations
Correct the liquidation threshold check to apply to collateral value
Lead Judging Commences
LendingPool::borrow as well as withdrawNFT() reverses collateralization check, comparing collateral < debt*0.8 instead of collateral*0.8 > debt, allowing 125% borrowing vs intended 80%
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.