`RAACNFT` locks minted funds permanently due to missing withdrawal mechanism
Summary
Users can tokenize real estate by providing the necessary collateral and minting it with the help of the RAACNFT contract.
Vulnerability Details
The problem arises from the fact that funds remain locked indefinitely because no withdrawal mechanism has been implemented. Users can't get their collateral back if they decide to withdraw their NFTs from the LendingPool. What is more, the transferred crvUSD stays inside the RAACNFT, where even the protocol cannot operate with the funds.
Since this is the key contract for tokenizing real-world assets, this oversight could make a significant amount of funds permanently inaccessible.
Impact
A large amount of funds may become stuck or lost.
Tools Used
Manual review
Recommendations
Implement a withdrawal/burn mechanism in the
RAACNFTcontract, where users can get their collateral back if they decide to leave the protocol. Also, add a mechanism for the transferred funds to be added to the pool or in theRTokencontract.
Lead Judging Commences
RAACNFT collects payment for NFT minting but lacks withdrawal functionality, permanently locking all tokens in the contract
RAACNFT collects payment for NFT minting but lacks withdrawal functionality, permanently locking all tokens in the contract
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.