Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

On liquidation NFT sent to StabilityPool will be stuck forever

foufrix

Summary

The liquidation process in the StabilityPool and LendingPool has a critical design flaw where liquidated NFTs become permanently locked in the StabilityPool contract with no mechanism to recover or manage them.

// In LendingPool.sol
function finalizeLiquidation(address userAddress) external nonReentrant onlyStabilityPool {
// ...
// Transfer NFTs to Stability Pool
for (uint256 i = 0; i < user.nftTokenIds.length; i++) {
uint256 tokenId = user.nftTokenIds[i];
user.depositedNFTs[tokenId] = false;
raacNFT.transferFrom(address(this), stabilityPool, tokenId);
}
// ...
}

But StabilityPool has no functions that interact with RAACNft contracts.

Vulnerability Details

The StabilityPool contract receives NFTs during liquidation but lacks any functionality to:

  • Transfer NFTs to other addresses

  • Sell NFTs to recover bad debt

  • Manage or auction NFTs

  • Return NFTs to the protocol

Impact

This means valuable NFT collateral becomes permanently trapped in the StabilityPool after liquidations, leading to:

  • Lost value for the protocol

  • Inability to recover bad debt through NFT sales

  • Accumulation of unmovable NFTs in StabilityPool

Tools Used

Manual

Recommendations

  1. Add NFT management functions to StabilityPool

  2. Or modify liquidation flow to send NFTs to a dedicated NFT liquidation contract instead of StabilityPool

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Liquidated RAACNFTs are sent to the StabilityPool by LendingPool::finalizeLiquidation where they get stuck

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!