Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Large Borrowers Can’t Be Liquidated Due to No Partial Liquidation

udogodwin2k22

Summary

The LendingPoolcontract can only liquidate a borrower’s full debt and all their collateral (NFTs) in one go. If a whales owes a lot (like 10,000 crvUSD) and the Stability Pool doesn’t have enough money to cover it, the liquidation fails. This stops the protocol from handling risky large borrowers properly

Vulnerability Details

The finalizeLiquidation function is responsible for closing out a borrower’s debt and taking their collateral when they can’t pay back their loan. However, it’s built to handle everything at once, there’s no option to do it little by little. The function starts by figuring out how much the borrower owes:

uint256 userDebt = user.scaledDebtBalance.rayMul(reserve.usageIndex);

This calculates the total debt, including interest. There’s no way to say, “Let’s only deal with part of this debt.”

Next, it takes all the borrower’s NFTs (their collateral) and sends them to the Stability Pool:

for (uint256 i = 0; i < user.nftTokenIds.length; i++) {
uint256 tokenId = user.nftTokenIds[i];
user.depositedNFTs[tokenId] = false;
raacNFT.transferFrom(address(this), stabilityPool, tokenId);
}
delete user.nftTokenIds;

Then, it tries to move money from the Stability Pool to cover the debt:

IERC20(reserve.reserveAssetAddress).safeTransferFrom(msg.sender, reserve.reserveRTokenAddress, amountScaled);

Here, amountScaled matches the full userDebt. The Stability Pool (the msg.sender) has to send this whole amount in one transaction. If it doesn’t have enough, like if the debt is 10,000 crvUSD but the pool only has 5,000 crvUSD, the transaction fails and nothing happens.

Imagine a borrower or multiple borrowers owes 10,000 crvUSD, and their NFTs are worth enough to cover it. The Stability Pool, which is supposed to pay this debt and take the NFTs, only has 5,000 crvUSD. When finalizeLiquidation runs:

  • It demands all 10,000 crvUSD from the Stability Pool.

  • The pool can’t pay, so the safeTransferFrom line fails, and the whole process stops.

  • The borrower stays in debt, and their risky position isn’t fixed.

Other systems, like Aave, let you liquidate part of the debt (say, 5,000 crvUSD) and take some of the collateral. This way, even big borrowers can be handled step-by-step. But in this contract, it’s all or nothing. The contract doesn’t have another way to liquidate borrowers. The repay function lets borrowers pay back part of their debt, but that’s not liquidation—it’s voluntary. Liquidation is forced and needs to work even for big debts.

Impact

  1. Big borrowers with too much debt and not enough collateral can’t be liquidated, leaving the system exposed to losses if the collateral value drops.

  2. Lenders’ funds could be trapped because the protocol can’t recover assets from big borrowers.

Tools Used

Manual Review

Recommendations

Add a parameter like liquidationAmount to let the caller choose how much debt to pay off.
Calculate how many NFTs to take based on that amount (e.g., if paying half the debt, take half the collateral value in NFTs).
Only transfer that portion of funds from the Stability Pool.

function finalizeLiquidation(address userAddress, uint256 liquidationAmount) external nonReentrant onlyStabilityPool {
uint256 userDebt = user.scaledDebtBalance.rayMul(reserve.usageIndex);
require(liquidationAmount <= userDebt, "Amount too high");
// Take proportional NFTs and transfer liquidationAmount instead of full debt
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

StabilityPool has no ability to liquidate large positions due to all-or-nothing design - partial liquidation not supported, risking protocol insolvency

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.