Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

No functionality to bring loan above water using deposited assets

0xblockhound

Summary

User can not bring loan above water

Vulnerability Details

In the LendingPool contract, users can borrow RToken by depositing an NFT as collateral. If the NFT price falls below the liquidation threshold, anyone can call initiateLiquidation(), and the borrower is given a limited time to repay their loan.

Currently, borrowers have two options to avoid liquidation:

  1. Repay the borrowed loan.

  2. Deposit another NFT to increase collateral value and bring the loan above water.

However, there is no functionality to allow users to increase their collateral value by depositing asset tokens (e.g., crvUSD). Even though deposit() allows users to deposit asset tokens, these deposits do not count towards the total collateral value.

https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/pools/LendingPool/LendingPool.sol#L561-L569

function getUserCollateralValue(address userAddress) public view returns (uint256) {
UserData storage user = userData[userAddress];
uint256 totalValue = 0;
for (uint256 i = 0; i < user.nftTokenIds.length; i++) {
uint256 tokenId = user.nftTokenIds[i];
uint256 price = getNFTPrice(tokenId);
totalValue += price;
}

This forces users to either repay the loan in full or deposit additional NFTs, limiting their flexibility and increasing liquidation risks.

Impact

Borrowers might get liquidated even if they have sufficient asset tokens deposited.

Tools Used

Recommendations

Modify collateral calculation to include deposited asset tokens (crvUSD) when determining the total collateral value.

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.