Users can manipulate the `withdrawNFT` function and take out extra money out of the protocol
Summary
The withdrawNFT() function contains a flawed collateral validation check that enables users to withdraw NFTs that should be locked as collateral, leading to major profit to a user
Vulnerability Details
The withdrawNFT function's collateral check is fundamentally flawed in its mathematical logic:
https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/pools/LendingPool/LendingPool.sol#L302-L304
The check attempts to verify if the remaining collateral after withdrawal would be sufficient, but the mathematical implementation allows users to withdraw NFTs even when their position would become severely undercollateralized\
poc -
assume -
Attacker deposits 2 NFTs worth 100,000 crvUSD each
Total collateral value = 200,000 crvUSD
now
Attacker First borrow 120,000 crvUSD (within normal limits)
Then attempt to withdraw one NFT (100,000 crvUSD value)
due to this now -
the attacker now has
120,000 crvUSD in borrowed funds
One NFT worth 100,000 crvUSD
Net instant profit: 20,000 crvUSD
Impact
Allows profit without market risk
Can be repeated with multiple NFTs
Generates immediate bad debt
Enables direct value extraction from the protocol
Tools Used
Manual Audit
Recommendations
Correct the withdrawal validation logic:
Lead Judging Commences
LendingPool::borrow as well as withdrawNFT() reverses collateralization check, comparing collateral < debt*0.8 instead of collateral*0.8 > debt, allowing 125% borrowing vs intended 80%
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.