Core Contracts

Summary

borrower can become under collateralized (checks arent correct) in the withdrawNFT() function in LendingPool.

Vulnerability Details

withdrawNFT function in LendingPool used by borrowers to withdraw their collaterals.

key part here is: function should not give borrowers collateral if borrowers become undercollateralized so function implemented a check to preventing that but the check is written wrong so it'll not prevent borrower to withdrawNFT if undercollateralized

the check is here:

This check makes sure borrowers collateral doesnt go under liquidationThreshold after withdrawing the nft

HOWEVER the there is issue in this check the issue is it shouldnt do percentMul for liquidationThreshold, here i explain why

example:

• borowwer deposits 100$ worth of two NFT in total (both worth $100), and lets say liquidationThreshold is 80%,

• borrower borrows 80$ worth of tokens

• borrower want to withdraw NFT valued at 25$

• borrower becomes under collateralized (BUT HOW??)

let me show how :

(100$ - 25$ < ($80).percentMul(80 percent)) -> now liquidationTreshold is =64$, and collateral value - nft value is 75 now, and 75 is less than 64 the check will pass succesfully, now users collateral is 75 while it shouldnt be because its under borrowed ammount which was 80$, its not only went under treshold it also went under borrowed ammount

but if we change percentMul to percentDiv (100$ - 25$ < ($80).percentDiv(80 percent) the right part of check will be 100 (80$ / 80% = 100) because users collateral value shoudldnt go under 100 cause it'll go under liquidationtreshold

Impact

borrower can get under treshold and undercollateralized so protocol will lose funds

Tools Used

vs code

Recommendations

consider changing percentMul