Stability pool has no function to interact with liquidated NFTs
Summary
The StabilityPool contract cannot interact with liquidated NFTs that are transferred to it during liquidation. In LendingPool’s finalizeLiquidation() function, liquidated NFTs are sent to the StabilityPool using the ERC721 transferFrom() function. However, the StabilityPool lacks any function to manage, sell, or transfer these NFTs, resulting in them being permanently stuck in the contract.
Vulnerability Details
-
The
finalizeLiquidation()function in the LendingPool contract transfers liquidated NFTs to the StabilityPool using:solidityraacNFT.transferFrom(address(this), stabilityPool, tokenId); -
However, the StabilityPool contract does not implement
onERC721Received()nor does it provide any function to withdraw, sell, or transfer the received NFTs. -
As a result, once an NFT is transferred to the StabilityPool, it becomes unrecoverable because the contract itself has no way to send it elsewhere.
Impact
Severity: High
Liquidated NFTs are permanently locked in the StabilityPool, meaning they cannot be resold or utilized. This breaks the expected liquidation process, leading to lost value and disrupted protocol functionality.
Tools Used
Manual code review
Recommendations
**Implement an NFT handling function in StabilityPool. **Add a function to allow an authorized role (e.g., governance, auction contract, or LPs) to withdraw or resell NFTs.
Lead Judging Commences
Liquidated RAACNFTs are sent to the StabilityPool by LendingPool::finalizeLiquidation where they get stuck
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.