Unbounded NFT Array Iteration
Summary
The getUserCollateralValue() function iterates over user.nftTokenIds without a cap, risking gas limit exceedance with many NFTs. This medium-impact, medium-likelihood issue could lock user assets or debt positions by blocking key functions like withdrawNFT() or borrow().
Vulnerability Details
The function loops through all user NFTs without a limit. Example:
User deposits 1000 NFTs (10 crvUSD each, total 10,000 crvUSD).
getUserCollateralValue() exceeds the block gas limit (e.g., 30M on Ethereum).
withdrawNFT() or borrow() (8000 crvUSD) reverts, locking 10,000 crvUSD in collateral.
This blocks critical operations as NFT count grows.
Impact
Users could lose access to significant collateral (e.g., 10,000 crvUSD), a medium-impact issue. The medium likelihood reflects realistic user behavior of depositing multiple NFTs, posing a growing risk as adoption increases.
Tools Used
Manual Code Review: To verify iteration in getUserCollateralValue().
Recommendations
Cap NFT deposits per user:
Lead Judging Commences
LendingPool: Unbounded NFT array iteration in collateral valuation functions creates DoS risk, potentially blocking liquidations and critical operations
LightChaser L-36 and M-02 covers it.
LendingPool: Unbounded NFT array iteration in collateral valuation functions creates DoS risk, potentially blocking liquidations and critical operations
LightChaser L-36 and M-02 covers it.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.