Nft will be remain locked inside StabilityPool after liquidation. Depositors of rToken will incur losses.
Summary
Vulnerability Details
The work flow will be like this
-
any user initiate a liquidation process for another user when user's health factor is below threshold
-
user cas close liquidation in grace period by returning DEBT
-
If grace preiod ended then Manager or Owner will initiate
liquidateBorrower()fromStabilityPoolcontractwhich calls `LendingPool :: finalizeLiquidation()` which is a onlyStabilityPool function
It will send User's all collateral (i.e NFTs) to stability pool
Stability Pool will pay User's DEBT
But point is those transfered NFT to Stability Pool will always gonna locked in that contract, cause Stability Pool does implement any functions to handle those received NFTs, No allowance for other, No NFT related transfer function, it just sit there in that contract.
Impact
StabilityPool pay User's Debt in rToken which are deposited by other users to StabilityPool. And stabilitypool allow users to redeem their deToken for rToken in 1:1. As StabilityPool doing nothing with those Nft received from liquidation then then there is posibility that other users cannot redeem their deToken for rToken.
Tools Used
Manual review
Recommendations
implement some NFT related function inside StabilityPool
Lead Judging Commences
Liquidated RAACNFTs are sent to the StabilityPool by LendingPool::finalizeLiquidation where they get stuck
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.