Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Missing Liquidation Status Check in depositNFT() Allows Loss of Additional Collateral

0xekkoo

Summary

The protocol allows users under liquidation to continue depositing NFTs as collateral. These newly deposited NFTs are then automatically seized during liquidation finalization, creating a deceptive situation where users lose additional assets while attempting to improve their position.

Vulnerability Details

The depositNFT() function lacks a check for the user's liquidation status:

function depositNFT(uint256 tokenId) external nonReentrant whenNotPaused {

// update state

ReserveLibrary.updateReserveState(reserve, rateData);

if (raacNFT.ownerOf(tokenId) != msg.sender) revert NotOwnerOfNFT();

UserData storage user = userData[msg.sender];

if (user.depositedNFTs[tokenId]) revert NFTAlreadyDeposited();

user.nftTokenIds.push(tokenId);

user.depositedNFTs[tokenId] = true;

raacNFT.safeTransferFrom(msg.sender, address(this), tokenId);

emit NFTDeposited(msg.sender, tokenId);

}

During finalizeLiquidation(), ALL NFTs in the user's position are transferred to the Stability Pool:

for (uint256 i = 0; i < user.nftTokenIds.length; i++) {

uint256 tokenId = user.nftTokenIds[i];

user.depositedNFTs[tokenId] = false;

raacNFT.transferFrom(address(this), stabilityPool, tokenId);

}

delete user.nftTokenIds;

Impact

Users under liquidation can unknowingly lose additional NFTs by depositing them while trying to salvage their position. When liquidation is finalized, these newly deposited NFTs are seized along with the original collateral, even though they were added after liquidation was initiated. This creates an unfair loss of user assets and could be seen as a form of value extraction from users who are attempting to rescue their positions.

Tools Used

Manual Review

Recommendations

Add liquidation status check to depositNFT:

function depositNFT(uint256 tokenId) external nonReentrant whenNotPaused {

+ if (isUnderLiquidation[msg.sender]) revert CannotDepositWhileUnderLiquidation();

// Rest of the function

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Users can deposit NFTs using LendingPool::depositNFT while under liquidation, leading to unfair liquidation of NFTs that weren't part of original position

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!