Core Contracts

Summary

LendingPool::getUserCollateralValue() calculates user's collateral value by Adding value of all tokens that a user owns instead of tokens deposited by the user into the Pool. This can be exploited by malicious actors to inflate or deflate their total collateral and manipulate their Debt and liquidity positions.

Vulnerability Details

getUserCollateralValue() function is used by:

• borrow() to determine how much tokens a user can borrow.

• WithdrawNFT() function to prevent undercollateralisation of user position in case of NFT withdrawl from the Pool.

The vulnerability arises because the user collateral is calculated by summing up prices of all user NFTs instead of deposited tokens only.
This combined with the ability to transfer tokens in between users can be leveraged to Inflate and deflate the value of user's total assets and potentially Steal from the protocol.

Exploit

Scenario 1

• attacker gets an NFT temporarily form another user. Inflates total asset value.

• attacker calls borrow() which calls getUserCollateralValue() and loans tokens to user based on inflated collateral value.

• attacker returns the NFT to the original user as it was not deposited to the pool and can be transfered. leaving the position Undercollateralised.

• Even If the position is liquidated the actual collateral value won't be able to cover the losses for the protocol.

Scenario 2

• malicious user gets an NFT temporarily form another user. Inflates total asset value.

• Attacker calls withcrawNFT() which calls getUserCollateralValue() and allows withdrawal due to inflated asset value.

• Attackers returns the NFT to its original owner.

• Attackers position is undercollateralised and is also able to withdraw an NFT which they should not be able to.

Impact

• Theft of protocol funds.

• Forcing Undercollateralisation for positions.

Recommendations

Calculate collateral based on deposited NFTs instead of all user owned NFTs.