Critical Borrow Vulnerability: flaw in borrow function allows users to borrow more than threshold limit
Summary
The borrow function in the LendingPool contract contains an incorrect collateral sufficiency check, enabling users to borrow amounts that exceed safe collateralization limits.
This flaw allows the creation of under-collateralized loans, threatening protocol solvency.
Vulnerability Details
Exploit Example:
Parameters:
Collateral: 100 ETH
Liquidation Threshold: 80% (0.8)
1st Borrow Attempt: 90 ETH
Current Check Execution:
collateralValue (100 ETH) < ( 90 ETH) * 0.8 → 100 < 72 → false(so does not revert) → borrow allowed
Resulting Position:
Debt/Collateral Ratio: 90% (90 ETH debt vs. 100 ETH collateral)
Required Collateral (Correct):
Undercollateralized by 12.5 ETH
Impact
Critical Severity (Protocol Insolvency Risk):
Bad Debt Accumulation: Users can borrow more than collateral allows.
Liquidation Failure: Undercollateralized positions cannot be profitably liquidated.
Protocol Insolvency: Total debt exceeds collateral value, leading to systemic collapse.
Recommendations
Mitigation Code
change the check to the following
Lead Judging Commences
LendingPool::borrow as well as withdrawNFT() reverses collateralization check, comparing collateral < debt*0.8 instead of collateral*0.8 > debt, allowing 125% borrowing vs intended 80%
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.