Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Lending pool's borrow and withdrawNFT functions allow undercollateralized positions

0rpseqwe

Summary

Lending pool's borrow and withdrawNFT allows undercollateralized positions due to a coding mistake.

Vulnerability Details

LendingPool::withdrawNFT function checks if the remaining collateral leaves a position undercollateralized as below:

if (collateralValue - nftValue < userDebt.percentMul(liquidationThreshold)) {
revert WithdrawalWouldLeaveUserUnderCollateralized();
}

Here liquidationThreshold value takes 0.8 in the constructor, which means that remaning collateral value could be 0.8 of a user debt, leaving the position undercollateralized.
The same mistake occurs in LendingPool::borrow:

// Ensure the user has enough collateral to cover the new debt
if (collateralValue < userTotalDebt.percentMul(liquidationThreshold)) {
revert NotEnoughCollateralToBorrow();
}

Impact

Undercollateralized positions are allowed, leaving protocol with bad debt.

Recommendations

If statements should be liquidationThreshold * collateralValue < userTotalDebt then revert.

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::borrow as well as withdrawNFT() reverses collateralization check, comparing collateral < debt*0.8 instead of collateral*0.8 > debt, allowing 125% borrowing vs intended 80%

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.