Incorrect Collateral Threshold Check in NFT Withdrawal Logic
Summary
The withdrawNFT function allows a user to withdraw a previously deposited NFT. It checks that the withdrawal would not leave the user under-collateralized before the withdrawal can be completed. However, the collateral check incorrectly applies the liquidation threshold to the debt instead of the collateral value. This incorrect implementation allows users to withdraw NFTs when they should be prevented from doing so, potentially leading to undercollateralized positions and bad debts.
Vulnerability Details
Here's the collateral check from withdrawNFT
The check is mathematically incorrect because It applies liquidationThreshold to userDebt instead of collateralValue.
Example scenario:
Values:
collateralValue = 1000 ETHnftValue = 600 ETHuserDebt = 500 ETHliquidationThreshold = 80%
Current calculation (incorrect):````1000 - 600 = 400 ETH < 400 ETH (500 * 80%)````Check passes since 400 = 400, allowing withdrawal
Correct calculation:````(1000 - 600) * 80% = 320 ETH < 500 ETH````Check should fail as 320 < 500, preventing withdrawal
In this scenario:
After withdrawal, user would have 400 ETH collateral value
At 80% threshold, this only allows the user to borrow a maximum of 320 ETH
But user has 500 ETH debt
Position would be undercollateralized but current check allows it
Impact
Protocol can accrue bad debt
Users can withdraw NFTs while undercollateralized (or lead to underCollaterization)
Risk of protocol insolvency
Tools Used
Manual
Recommendations
Fix the collateral check formula:
Lead Judging Commences
LendingPool::borrow as well as withdrawNFT() reverses collateralization check, comparing collateral < debt*0.8 instead of collateral*0.8 > debt, allowing 125% borrowing vs intended 80%
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.