Summary

The RAACNFT contract's mint() function lacks validation checks for token ID ranges, allowing attackers to mint NFTs beyond the authorized batch size. When combined with the LendingPool's collateral acceptance logic, this enables creation of unlimited collateral value leading to protocol insolvency through bad debt accumulation.

Finding Description

The issue originates in the mint() function of RAACNFT.sol which fails to validate that the _tokenId parameter falls within the current authorized batch range set by currentBatchSize. The relevant code section shows missing range validation:

RAACNFT.sol#L32-L47

The protocol's documentation states "RAAC NFT batches are controlled through governance" but this control is not enforced at the minting layer. The addNewBatch() function increases currentBatchSize but there is no corresponding validation during minting to ensure token IDs stay within batch limits.

When combined with the LendingPool's depositNFT function that accepts any valid NFT ownership without verifying token ID legitimacy:

An attacker can mint NFTs with arbitrary token IDs and use them as collateral. The core issue manifests through three protocol assumptions being violated:

1. Batch-controlled NFT supply (documentation states "batches are controlled")

2. Collateral value tied to real-world assets (README mentions "real estate on-chain")

3. Oracle price validation as sole security measure

The impact scenario occurs when an attacker mints token IDs beyond currentBatchSize and the oracle returns valid prices for these unauthorized NFTs. This allows infinite collateral creation as there's no upper bound on token IDs that can be minted.

Impact

Attackers can create unlimited collateral value leading to complete protocol insolvency through bad debt. Even with honest oracles, any configuration error in batch management could enable large-scale collateral fraud. The protocol's entire lending system becomes fundamentally insecure as the NFT supply control mechanism is bypassed.

Proof Of Concept

1. Initial state: currentBatchSize = 3 (valid token IDs 0-2)

2. Attacker calls RAACNFT.mint(3, 1e18)

   • Oracle returns price = 1e18 (1M USD) for tokenId 3

   • Mint succeeds due to missing range check

3. Attacker deposits tokenId 3 into LendingPool via depositNFT(3)

4. Attacker borrows 800,000 USD (80% LTV) using fake collateral

5. Repeats process with tokenIds 4,5,...n to drain protocol funds

6. Protocol accumulates bad debt equal to Σ(borrowed_amount) for n→∞

Mitigation

Add token ID range validation in the mint() function to enforce batch boundaries. The fix ensures only token IDs within the current authorized batch can be minted: