Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

When minting RAAC NFT, the value of payment token transferred is not checked to ensure it is equals to the house price in USD

0xgremlincat

Summary

in RAACNFT.sol, the mint()function will mint an RAAC NFT based on the tokenid passed in the function. To be able to receive the minted NFT, the user would have to transfer ERC20 payment tokens to RAACNFT.sol based on the price of the corresponding real estate asset. However, the function does not ensure that the value of the payment tokens transferred is equals to the price of the real estate asset in USD.

Vulnerability Details

function mint(uint256 _tokenId, uint256 _amount) public override {
uint256 price = raac_hp.tokenToHousePrice(_tokenId);
if(price == 0) { revert RAACNFT__HousePrice(); }
if(price > _amount) { revert RAACNFT__InsufficientFundsMint(); }
// transfer erc20 from user to contract - requires pre-approval from user
token.safeTransferFrom(msg.sender, address(this), _amount);
// mint tokenId to user
_safeMint(msg.sender, _tokenId);
// If user approved more than necessary, refund the difference
if (_amount > price) {
uint256 refundAmount = _amount - price;
token.safeTransfer(msg.sender, refundAmount);
}
emit NFTMinted(msg.sender, _tokenId, price);
}

In the above function:

  1. price of the real estate asset is retrieve from Chainlink oracle via tokenToHousePrice(). The oracle will return price in USD. Assuming price = 100,000USD

  2. Assume that the ERC20 payment token is LINK and is in 18 decimals, and _amount= 100000e18

  3. Assume that _amount> price, hence if statement in line 4 will not execute and proceed

  4. payment tokens are transferred to RAACNFT.sol without retrieving the USD price of the payment token. Assume current price of LINK = $17USD. Transferring 100,000 LINK is transferring 1.7 million USD worth of tokens, when the price of the asset is only 100,000USD.

Impact

The value of the ERC20 used for payment in USD is not retrieved - this leads to extremely problematic transfer amounts. Depending on the ERC20 used, the value of the token in USD could be extremely large (e.g WBTC), or extremely low as well.

Although currently, the payment token is crvUSD, it is still incorrect to assume that crvUSD price is 1:1 to USD. Even if protocol would not accept any other ERC20 payment tokens, the price of crvUSD should still be retrieved from oracle.

Tools Used

Manual

Recommendations

Ensure the price in USD of the ERC20 token used as payment is retrieved via oracle, ensuring freshness and decimals of the retrieved price are handled correctly.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Protocol assumes 1 CRVUSD = 1 USD without using a price oracle, risking incorrect liquidations or other inacurate accounting if the stablecoin depegs

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Protocol assumes 1 CRVUSD = 1 USD without using a price oracle, risking incorrect liquidations or other inacurate accounting if the stablecoin depegs

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.