USD to crvUSD Mismatch in Borrowing
Summary
The borrow function assumes 1 USD of NFT collateral equals 1 crvUSD of borrowed assets, but crvUSD’s value fluctuates and isn’t pegged perfectly to 1 USD. This misprices the loan and risks over- or under-borrowing.
Vulnerability Details
The borrow function checks if a user’s NFT collateral (valued in USD via getUserCollateralValue) covers the borrowed amount (in crvUSD). It compares collateralValue (USD) directly to userTotalDebt (crvUSD) adjusted by liquidationThreshold. For example:
NFT price is 1000 USD.
User borrows 800 crvUSD.
Code assumes 800 crvUSD = 800 USD.
But if crvUSD is worth 0.98 USD, the real value borrowed is 784 USD, letting the user borrow more than intended. If crvUSD is 1.02 USD, it’s 816 USD, under-protecting the system. The getNFTPrice function returns USD from RAACHousePrices, while amount is crvUSD, and there’s no conversion between them.
Impact
Loans can be too big or too small. If crvUSD < 1 USD, users over-borrow, risking liquidation or loss for the pool. If crvUSD > 1 USD, users get less than their collateral allows. Either way, the system’s math is off, breaking trust and stability.
Tools Used
Manual review of borrow, getUserCollateralValue, and RAACHousePrices code, plus crvUSD price behavior analysis.
Recommendations
Add Price Oracle for crvUSD: Fetch crvUSD/USD rate from an oracle (e.g., Chainlink) and adjust the collateral check.
Lead Judging Commences
Protocol assumes 1 CRVUSD = 1 USD without using a price oracle, risking incorrect liquidations or other inacurate accounting if the stablecoin depegs
Protocol assumes 1 CRVUSD = 1 USD without using a price oracle, risking incorrect liquidations or other inacurate accounting if the stablecoin depegs
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.