Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

NFT honeypot through undisclosed collateral status on secondary markets

0xtheblackpanther

Description

The RAAC NFTs can be traded on secondary markets (like OpenSea) while being used as collateral in the LendingPool:

// LendingPool.sol
function depositNFT(uint256 tokenId) external {
user.depositedNFTs[tokenId] = true;
raacNFT.safeTransferFrom(msg.sender, address(this), tokenId);
}

A malicious user can:

  1. Deposit NFT as collateral

  2. Borrow maximum amount against it

  3. List NFT for sale on OpenSea

  4. When buyer purchases NFT:

    • They receive an NFT that's locked in LendingPool

    • Can't withdraw it due to existing debt

    • NFT could be liquidated if original borrower defaults

Now let's check the impact:

  • Buyers lose funds purchasing encumbered NFTs

  • NFTs can be liquidated without buyer's knowledge

  • Creates reputation risk for protocol

Recommendation

Block secondary market transfers while NFT is collateral:

function _beforeTokenTransfer(address from, address to, uint256 tokenId) internal override {
require(!lendingPool.isCollateral(tokenId), "NFT locked in LendingPool");
super._beforeTokenTransfer(from, to, tokenId);
}

Add metadata flag for collateral status:

function tokenURI(uint256 tokenId) public view override returns (string memory) {
string memory baseURI = _baseURI();
return bytes(baseURI).length > 0
? string(abi.encodePacked(baseURI, tokenId, isCollateral[tokenId] ? "_locked" : ""))
: "";
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.