Core Contracts

Summary

The RAAC lending protocol contains a critical vulnerability where NFTs transferred to the StabilityPool during liquidation become permanently locked due to the StabilityPool contract lacking the necessary functionality to handle or transfer NFTs. This issue stems from the LendingPool contract sending NFTs to the StabilityPool during liquidation finalization, but the StabilityPool having no implementation for NFT management or the required interfaces to handle ERC721 tokens.

Vulnerability Details

The vulnerability occurs in the interaction between the LendingPool and StabilityPool contracts during the liquidation process:

1. In LendingPool.sol, the finalizeLiquidation function transfers NFTs to the StabilityPool:

1. The StabilityPool contract:

• Does not inherit from ERC721Holder or implement onERC721Received

• Has no functions to manage or transfer received NFTs

• Provides no mechanism for even privileged roles to handle NFTs

1. The RAACNFT contract is a standard ERC721 implementation that:

• Requires recipient contracts to implement ERC721Holder or equivalent

• Has no special provisions for the StabilityPool

• Cannot be overridden to bypass standard safety checks

Key issues:

• No NFT management functionality in StabilityPool

• Missing ERC721Holder implementation

• No rescue or recovery mechanisms

Impact

1. NFTs transferred during liquidation become permanently locked:

   • No recovery mechanism exists

   • Each locked NFT represents a real estate asset with significant value

2. Financial Impact:

   • Permanent loss of valuable real estate NFTs

   • No way to recover or redistribute value to stability providers

Tools Used

Manual Review

Recommendations

Implement proper NFT handling system in StabilityPool