Core Contracts

Summary

In the LendingPool.sol contract the liquidation threshold is incorrectly applied to the user's debt instead of the collateral value in both the withdrawNFT and borrow functions. This can lead to incorrect assessments of user collateralization and potential financial instability.

Vulnerability Details

The vulnerability arises from the withdrawNFT and borrow functions, which currently apply the liquidation threshold to the user's debt rather than the collateral value. The liquidation threshold is intended to ensure that users maintain sufficient collateral to cover their debt. By applying the threshold to the debt, the protocol will incorrectly assess the user's collateralization status, leading to improper approvals for withdrawals and borrowing.

Example Scenario

Consider the following scenario:

• User has a collateral value of $100,000.

• User has a debt of $70,000.

• Liquidation threshold is set at 80%.

Current Implementation:

• The protocol checks if collateralValue - nftValue < userDebt.percentMul(liquidationThreshold).

• If the user wants to withdraw an NFT worth $30,000, the check would be:

This simplifies to:

The condition is false, so the withdrawal is allowed even though the user should be undercollateralized.

Impact

By applying the liquidation threshold to the user's debt instead of the collateral value, the protocol may allow users to withdraw NFTs or borrow more than they should be able to. This can lead to users becoming undercollateralized, increasing the risk of bad debt and financial instability for the protocol. It undermines the protocol's ability to maintain a healthy collateralization ratio, potentially leading to significant financial losses.

Tools Used

Manual Review

Recommendations

To mitigate this vulnerability, update the withdrawNFT and borrow functions to apply the liquidation threshold to the collateral value instead of the user's debt. Here is an example of how to implement this: