Submission Details
Severity:
Stability Pool Has No Mechanism to Retrieve Liquidated NFTs
Summary
The Stability Pool contract lacks any functionality to retrieve or manage NFTs received during liquidations, effectively creating a permanent lock of these assets in the contract.
Vulnerability Details
In the LendingPool contract, when a liquidation is finalized, all NFTs are transferred to the Stability Pool:
// In LendingPool.finalizeLiquidation:
for (uint256 i = 0; i < user.nftTokenIds.length; i++) {
uint256 tokenId = user.nftTokenIds[i];
user.depositedNFTs[tokenId] = false;
raacNFT.transferFrom(address(this), stabilityPool, tokenId);
}
However, examining the Stability Pool contract reveals that there's no mechanism to retrieve the nfts or transfer them.
Impact
High, Permanent loss of NFT value.
Tools Used
Manual Review
Recommendations
Add a retrieval nft function:
function recoverNFT(uint256 tokenId, address recipient) external onlyOwner {
require(receivedNFTs[tokenId], "NFT not in pool");
IRAACNFT(raacNFT).transferFrom(address(this), recipient, tokenId);
receivedNFTs[tokenId] = false;
}
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
Liquidated RAACNFTs are sent to the StabilityPool by LendingPool::finalizeLiquidation where they get stuck
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.