Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Incorrect `minBidAmount` calculation in the `NFTLiquidator::placeBid` function.

saurabh_singh

Summary

The minBidAmount does not consider the debt amount value.

Vulnerability Details

While liquidating the NFT, the contract should consider the debt amount; otherwise, the NFT will be sold, but the debt will not be covered by the auction.

The auction is meant to recover the NFT's debt amount. If the debt amount is not considered, it will result in a loss for the contract.

If an NFT has a debt of 10,000 but the highest bid in the auction is only 8,000, the remaining 2,000 will be a loss for the contract.

function placeBid(uint256 tokenId) external payable {
.....
.....
@>> uint256 minBidAmount = data.highestBid + (data.highestBid * minBidIncreasePercentage / 100);
if (msg.value <= minBidAmount) revert BidTooLow(minBidAmount);
.....
.....
}

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/pools/StabilityPool/NFTLiquidator.sol#L123

Impact

Loss of funds occurs since the NFT can be sold below the debt amount without covering the debt.

Recommendations

  1. Only end an auction if the winningBid is equal to or greater than the debt amount.

  2. Add the debt amount to minBidAmount to ensure the NFT cannot be sold below the debt amount.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope

Appeal created

saurabh_singh Submitter
4 months ago
inallhonesty Lead Judge
4 months ago
inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.