Incorrect `liquidationThreshold` Check in the `LendingPool.withdrawNFT()` Function
Summary
When withdrawing an NFT, it is essential to safeguard the user's financial health by comparing collateralValue with userDebt using the liquidationThreshold factor. However, the current implementation incorrectly multiplies liquidationThreshold with userDebt instead of collateralValue, leading to an erroneous threshold check.
Vulnerability Details
The withdrawNFT() function currently compares collateralValue against userDebt multiplied by liquidationThreshold. This approach is flawed.
To ensure accuracy, userDebt should not exceed collateralValue multiplied by liquidationThreshold. In other words, liquidationThreshold should be applied to collateralValue instead of userDebt.
Due to this implementation, with a liquidationThreshold set at 80%, userDebt can reach up to 125% of the user's collateral, resulting in potential financial losses for the protocol.
Impact
Malicious users could borrow more than their collateral allows, leading to financial losses for the protocol.
Tools Used
Manual review
Recommendations
The liquidationThreshold should be applied to collateralValue instead of userDebt.
Lead Judging Commences
LendingPool::borrow as well as withdrawNFT() reverses collateralization check, comparing collateral < debt*0.8 instead of collateral*0.8 > debt, allowing 125% borrowing vs intended 80%
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.