Core Contracts

Summary

When users are finally liquidated by the Stability pool, their liquidated NFTs are sent into the StabilityPool contract which does not have any function to withdraw or trade these NFTs. These valauble NFTs remain in the pool forever.

Vulnerability Details

Users must provide RAACNFT collateral to take loans from the LendingPool. depositNFT and withdrawNFT allows for users to deposit and withdraw respectively, considering you have no unsettled debts. Users who are unable to pay these loans within the liquidation and grace period, gets liquidated of their NFT. Here is the where the issues arises:

When a manager/owner invokes the liquidateBorrower function:

• Ensure StabilityPool has enough crvUSDToken to repay into the LendingPool

• Transfer user existing NFTs from the LendingPool to the StabilityPool

• Delete record of NFTs

• Burn debtTokens fro user

• Transfer the crvUSDToken to the RToken contract

  
  https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/pools/LendingPool/LendingPool.sol#L517
  The transfer of NFT to the StabilityPool contract.

POC

• Obi acquired an NFT through the RAACNFT for high valuable house price

• Deposits into the LendingPool contract so he can lend loans

• He borrowed a crvUSDToken within his collateral value

• Alice noticed his health factor and initiated liquidation

• After the grace period has passed without Obi clearing the debt

• Manager calls finalizeLiquidation to liquidate Obi

• StabilityPool contract will receive his NFT that remains there forever.

Impact

Liquidated RAACNFT are stuck in StabilityPool contract.

Tools Used

Manual Review.

Recommendations

Implement withdrawal ability in the StabilityPool contract to still access these valuable NFTs.