Summary

The borrow() function in LendingPool.sol incorrectly compares collateral value (USD, no decimals) with user debt (18-decimal precision). This prevents users from borrowing because the collateral check always fails, regardless of the actual collateral amount.

As a result, users will always be unable to borrow, effectively breaking the core functionality of the lending protocol.

Vulnerability Details

Collateral value (collateralValue) is in raw USD (no decimals), retrieved via:

We can confirm from RAACHousePrices.sol that the prices are set in raw USD:

User debt (userTotalDebt) is in 18-decimal precision, calculated as:

Incorrect comparison in collateral check:

Since collateralValue has no decimals, while userTotalDebt is 18 decimals, the comparison always fails, thus the borrower is always seen as undercollateralized, preventing borrowing.

Incorrect Behavior Flow

1. User deposits NFT → collateralValue is set in raw USD (e.g., 150,000 instead of 150,000e18).

2. User tries to borrow crvUSD → userTotalDebt is calculated in 18-decimals (e.g., 1e18 for 1 DebtToken).

3. Collateral check compares 150,000 with 1e18.percentMul(liquidationThreshold) → Always fails.

4. Transaction reverts with NotEnoughCollateralToBorrow(), even if the user has sufficient collateral.

Impact

• Users are permanently unable to borrow, making the protocol unusable.

• No borrowing demand → The entire lending system fails, as borrowing is the core function.

• Liquidity remains idle → Lenders will stop providing liquidity if borrowing is blocked.

Tools Used

manual review

Recommendations

Scale collateralValue to 18 Decimals

Modify the calculation to match the precision of userTotalDebt:

Now, both collateralValue and userTotalDebt have 18-decimal precision.