Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Unprotected NFT Deposits During Liquidation Lead to Immediate Asset Loss

0xgee001

Summary:

The LendingPool contract depositNFT function allows users under liquidation to continue depositing NFTs, which are automatically seized during liquidation finalization. This creates a deceptive situation where users attempting to improve their position by adding collateral actually lose these additional assets without any chance of recovery.

Vulnerability Details:

The depositNFT function lacks liquidation status validation:

function depositNFT(uint256 tokenId) external nonReentrant whenNotPaused {
// Missing check: if (isUnderLiquidation[msg.sender]) revert UnderLiquidation();
if (raacNFT.ownerOf(tokenId) != msg.sender) revert NotOwnerOfNFT();
UserData storage user = userData[msg.sender];
if (user.depositedNFTs[tokenId]) revert NFTAlreadyDeposited();
user.nftTokenIds.push(tokenId);
user.depositedNFTs[tokenId] = true;
raacNFT.safeTransferFrom(msg.sender, address(this), tokenId);
emit NFTDeposited(msg.sender, tokenId);
}

During finalizeLiquidation, ALL NFTs are seized:

for (uint256 i = 0; i < user.nftTokenIds.length; i++) {
uint256 tokenId = user.nftTokenIds[i];
user.depositedNFTs[tokenId] = false;
raacNFT.transferFrom(address(this), stabilityPool, tokenId);
}
delete user.nftTokenIds;

Attack Path:

  1. User's position becomes unhealthy

  2. Liquidation initiated

  3. User deposits additional NFTs thinking it will help

  4. Grace period expires

  5. Liquidation finalized - all NFTs seized including new deposits

Impact:

  • Users lose additional collateral without possibility of recovery

  • Creates misleading user experience

  • Potential for significant financial losses

  • Could be exploited by malicious actors to trick users into depositing more collateral

Tools Used:

Manual code review

Recommendations:

  1. Add liquidation status check to depositNFT.

    if (isUnderLiquidation[msg.sender]) revert CannotDepositWhileUnderLiquidation();

  2. Alternative: Allow deposits but track them separately.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Users can deposit NFTs using LendingPool::depositNFT while under liquidation, leading to unfair liquidation of NFTs that weren't part of original position

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!