Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Incorrect LTV calculation in withdrawNFT and borrow function in LendingPool.sol

anonymousjoe

Summary

The LTV check is incorrect in the 2 functions which allows users to borrow more than what they have kept as collateral.

Vulnerability Details

In both the withdrawNFT and the borrow functions, the LTV check done is wrong. Essentially allowing users to keep less as collateral than what they borrow/withdraw. A malicious user can thus use this to get instant profits, leading to a loss for the protocol.

Assume liquidationThreshold = 5000 (50%), user has deposited collateral worth 100 tokens.

In the borrow function:

if the user supplies amount = 150 tokens; the check does the following :
100 < 150.percentMul(5000) => 100 < 150*5000/10000 = 75 => 100 < 75 which is false and thus will not revert.
Thus the user has essentially withdrawn 150 tokens by keeping 100 tokens worth collateral

// in the withdrawNFT function
if (collateralValue - nftValue < userDebt.percentMul(liquidationThreshold)) {
revert WithdrawalWouldLeaveUserUnderCollateralized();
}
// in the borrow function
if (collateralValue < userTotalDebt.percentMul(liquidationThreshold)) {
revert NotEnoughCollateralToBorrow();
}

Impact

Drain the protocol. Lending pool doesnt make sense

Tools Used

manual Review

Recommendations

update them as follows:
Borrow function:

if(userTotalDebt > collateralValue.percentMul(liquidationThreshold)) revert

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::borrow as well as withdrawNFT() reverses collateralization check, comparing collateral < debt*0.8 instead of collateral*0.8 > debt, allowing 125% borrowing vs intended 80%

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.