Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Malicious Actors Can render Lending Pool unusable.

oldguard

Summary

Attackers or whales can keep buying up the batches of NFTs as they're being added by monitoring them either on chain or offchain hereby making it impossible for for regular users to borrow from the lending pool as well as monopolizing NFT supply, using them as collateral, and over-leveraging borrowing due to how the liquidation threshold is enforced

Vulnerability Details

During Launch a malicious attacker with a lot of funds can buy up the first batch of Nfts(3) by calling the mint function then set up An off-chain bot which can be used to monitor for a state change in the RAACNFT.sol contract more specifically the currentBatchSize state variable if it's greater than the previously stored number they buy up the difference.

  • The motive for this will be to borrow against the collateral a lot more than the deposited collateral as during borrowing we're only checking if the collateralValue is not less than 80% of the debt as initial liquidation threshold is 80% :

// Fetch user's total debt after borrowing
uint256 userTotalDebt = user.scaledDebtBalance.rayMul(
reserve.usageIndex
) + amount;
// Ensure the user has enough collateral to cover the new debt
if (collateralValue < userTotalDebt.percentMul(liquidationThreshold)) {
revert NotEnoughCollateralToBorrow();
}

so for example Malicious Attacker takes a flashloan and gets their hands on $1000,000 worth of NFTs then :

  1. Collateral Value: $1,000,000

  2. Collateral-to-Debt Ratio: 80% (0.8)

  3. Formula:

    Debt ≤ Collateral / 0.8

  4. Maximum Debt:

    Debtmax = 1,000,000 / 0.8 = $1, ⁣250, ⁣000

  5. Additional Borrowing Capacity:

    $1, ⁣250, ⁣000 − $1, ⁣000, ⁣000 = $250, ⁣000

The additional Borrowing capacity can be considered gains in this instance as attacker can simply pay off their flashloan then pocket the change.

Impact

  • this will create a massive bad debt for the protocol as attacker can run away with funds and they're massively undercollateralized.

  • this will also render the protocol unusable as people can only at least for the moment borrow against NFTS and if an attacker keeps buying up NFTS as they're added ordinary users will not be able to borrow hence lending pool is rendered unusable.

Tools Used

Recommendations

  • Take away the incentive for this by making sure the undercollateralization check matches the healthfactor calculation :

uint256 collateralThreshold = collateralValue.percentMul(
liquidationThreshold
);
return (collateralThreshold * 1e18) / userDebt;

  • consider implementing some offchain verification before user can purchase NFTs to prevent this.

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::borrow as well as withdrawNFT() reverses collateralization check, comparing collateral < debt*0.8 instead of collateral*0.8 > debt, allowing 125% borrowing vs intended 80%

Appeal created

oldguard Submitter
6 months ago
inallhonesty Lead Judge
6 months ago
oldguard Submitter
6 months ago
inallhonesty Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::borrow as well as withdrawNFT() reverses collateralization check, comparing collateral < debt*0.8 instead of collateral*0.8 > debt, allowing 125% borrowing vs intended 80%

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.