Users Can Manipulate Mapping Values for Other Users
Summary
The LendingPool.sol contract allows unauthorized modification of user mappings due to missing access control. Attackers can force another user into liquidation or manipulate stored data.
Vulnerability Details
The function initiateLiquidation(address userAddress) in LendingPool.sol sets isUnderLiquidation[userAddress] = true without checking if msg.sender is authorized.
A malicious actor can call this function and put any user into liquidation.
This can trigger forced liquidations on users who are still solvent, leading to unfair asset losses.
PoC
Any user can force another user into liquidation in LendingPool.sol.
Exploit Scenario
The attacker calls
initiateLiquidation()with the victim's address.Since no access control is enforced, the victim is forced into liquidation.
The attacker buys the NFT at a discount.
PoC Exploit
Expected Outcome
The victim’s NFT-backed collateral is liquidated unfairly.
The attacker buys the NFT at a discount from the liquidation pool.
The victim loses their funds due to the exploit.
Impact
Loss of assets: A valid user who should not be liquidated may lose their NFT-backed collateral.
Denial of Service (DoS): Attackers can spam liquidation attempts to lock out real users from using the lending system.
Tools Used
Slither for privilege escalation detection
Manual code review of
LendingPool.sol
Recommendations
Restrict function calls to only designated liquidators or the protocol’s risk engine.
Add a health factor check before liquidating users.
Implement governance-based liquidation approvals.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.