Incorrect Collateralization Check in borrow() Function Allows Borrowing Beyond Required Threshold
Summary:
The borrow() function in LendingPool contains a critical flaw in its collateralization check that incorrectly applies the liquidation threshold to the debt amount instead of the collateral value. This allows users to borrow amounts that exceed the safe borrowing capacity of their collateral.
Vulnerability Details:
In the borrow function:
Sample Scenario
collateralValue: 2000
userTotalDebt: 2200 //Existing debt: 1500; Attempting to borrow: 700 more
Liquidation threshold: 85%
The current implementation would allow this borrow to succeed because:
It checks if 2000 < (2200 * 0.85)
2000 < 1870, which is false
Therefore, it doesn't revert
However, this results in an unsafe position where:
collateralValue: 2000
userTotalDebt: 2200
Actual collateralization ratio: 90.9% (2000/2200)
Impact:
Users can borrow more than their collateral safely supports
Protocol becomes systematically undercollateralized
High risk of bad debt accumulation
Potential for protocol insolvency
Attackers can exploit to maximize borrowed amounts without adequate collateral
Tools Used:
Manual code review
Recommendations:
Implement a maximum borrowable amount function.
Correct the collateralization check.
Lead Judging Commences
LendingPool::borrow as well as withdrawNFT() reverses collateralization check, comparing collateral < debt*0.8 instead of collateral*0.8 > debt, allowing 125% borrowing vs intended 80%
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.