Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

User can borrow more than collateral

octeezy

Summary

In the LendingPool contract there is a condition in the borrow and withdrawNFT functions to check that user can only borrow 80% of collaterals value, but the condition is wrong, it lets the user borrow 125% of their collaterals value.

Vulnerability Details

PoC:

it("should allow user to borrow more than collateral", async function () {
const userCollateral = await lendingPool.connect(user1).getUserCollateralValue(user1.address);
// User can borrow up to 125% of collateral value
const overCollateralAmount = (userCollateral * 125n) / 100n;
await lendingPool.connect(user1).borrow(overCollateralAmount);
// User runs with the 25% profits
});

This test can be added to the "Borrow and Repay" section of the LendingPool.test.js file

Impact

Attacker can steal funds.

Tools Used

Manual review + hardhat tests.

Recommendations

For the withdrawNFT function:

+uint256 newCollateralValue = collateralValue - nftValue;
-if (collateralValue - nftValue < userDebt.percentMul(liquidationThreshold)) {
+if (userDebt > newCollateralValue.percentMul(liquidationThreshold)) {
revert WithdrawalWouldLeaveUserUnderCollateralized();
}

And for the borrow function:

-if (collateralValue < userTotalDebt.percentMul(liquidationThreshold)) {
+if (userTotalDebt > collateralValue.percentMul(liquidationThreshold)) {
revert NotEnoughCollateralToBorrow();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::borrow as well as withdrawNFT() reverses collateralization check, comparing collateral < debt*0.8 instead of collateral*0.8 > debt, allowing 125% borrowing vs intended 80%

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.