Incorrect calculations in the `LendingPool` contract for checking whether a user has enough collateral.
Summary
The withdrawNFT functions have incorrect calculations in the if condition for collateral.
Vulnerability Details
withdrawNFT function :-
In this function, userDebt.percentMul(liquidationThreshold) is compared to collateralValue - nftValue, which is incorrect.
By withdrawing the NFT, the collateral value decreases. The debt should be lower than liquidationThreshold % of the new collateral value after withdrawing the NFT.
Proof of code :-
lets take an example
liquidationThreshold = 80 %
collateralValue= 100
userDebt=70
Initially, the user has enough collateral for the debt.
Now follow the calculation for , nftValue=40
collateralValue - nftValue=60 anduserDebt.percentMul(liquidationThreshold)) =80% *70 =56
the new colletral amount = 60 , and the debt amount is userDebt=70
60 < 56 will be false , but the user has 70 debt and colletral = 60 , it should be UnderCollateralized.
Impact
The user cannot fully utilize the collateral value because userDebt.percentMul(liquidationThreshold) will be much lower than the actual liquidationThreshold of the collateral value.
The value of debt will be greater than the liquidationThreshold, which is incorrect.
Recommendations
withdrawNFT function :-
Lead Judging Commences
LendingPool::borrow as well as withdrawNFT() reverses collateralization check, comparing collateral < debt*0.8 instead of collateral*0.8 > debt, allowing 125% borrowing vs intended 80%
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.