Incorrect Collateral Threshold Check in Borrow Logic
Summary
The borrow function allows a user to borrow an amount of reserve assets. It checks that the user has enough collateral to cover the new debt. However, the collateral check incorrectly applies the liquidation threshold to the user debt instead of the collateral value. This incorrect implementation allows users to borrow an amount higher than the collateral provided, potentially leading to undercollateralized positions, bad debts, and protocol insolvency
Vulnerability Details
Here's the collateral check from borrow
The check is incorrect because It applies liquidationThreshold to userTotalDebt instead of collateralValue.
Example scenario:
Values:
collateralValue = 100 ETHborrow amount = 120 ETHuserTotalDebt = 120 ETH(assuming there's no previous debt)liquidationThreshold = 80%
Current calculation (incorrect): 100 ETH < 96 ETH (120 * 80%) Check passes since 100 > 96, allowing borrowing
Correct calculation: (100) * 80% = 80 ETH < 120 ETH Check should fail as 80 < 120, preventing borrowing
Impact
Users can borrow more than their deposited collateral
Risk of bad debts and protocol insolvency
Tools Used
Manual
Recommendations
Fix the collateral check
Lead Judging Commences
LendingPool::borrow as well as withdrawNFT() reverses collateralization check, comparing collateral < debt*0.8 instead of collateral*0.8 > debt, allowing 125% borrowing vs intended 80%
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.