Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Missing CrvUSD Deposits check in Collateral Value Calculation

olugbenga

Summary

The getUserCollateralValue function only considers NFT deposits and ignores CrvUSD deposits, despite protocol documentation stating that both NFTs and CrvUSD deposits should be counted as collateral. This mismatch can lead to the undervaluation of the user's collateral.

Vulnerability Details

Per the documentation, the user's collateral comprises of both crvUsd and NFTs deposited.

The Lending Pool allow any one to borrow against a collateral
comprised of crvusd deposited / NFTs deposited.

However, the getUserCollateralValue checks only the NFTs deposited by the user and doesn't take into consideration the crvUsd deposited.

function getUserCollateralValue(address userAddress) public view returns (uint256) {
UserData storage user = userData[userAddress];
uint256 totalValue = 0;
for (uint256 i = 0; i < user.nftTokenIds.length; i++) {
uint256 tokenId = user.nftTokenIds[i];
uint256 price = getNFTPrice(tokenId);
totalValue += price;
}
// No check for CrvUSD deposit balance
return totalValue;
}

Impact

  • Users get lower borrowing capacity

  • Premature liquidations possible

  • Protocol doesn't function as documented

Tools Used

Manual

Recommendations

Fix the collateral calculation to include checks for crvUsd deposited.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!