After nft withdraw, position can become instantly liquidatable
Summary
The issue arises when withdrawing NFTs from the LendingPool. The current logic does not account for potential price fluctuations, which could render a user's position liquidatable immediately after the withdrawal.
Vulnerability Details
Scenario
A user has:
A debt of 107.
NFTs with a total value of 150.
The user withdraws one NFT with a value of 30.
The total NFT value drops to 120.
The liquidation threshold is 90%, meaning the position remains safe as long as the NFT value is above 108 (90% of 120).
After withdrawal, the position is safe because 108 > 107.
However, if there is even a slight drop in the NFT price:
The NFT value could fall below 108, making the position liquidatable.
Root Cause
The withdrawal logic does not include a safety buffer to account for potential price fluctuations. As a result, even a small decrease in NFT value after withdrawal could push the position below the liquidation threshold.
Impact
Position Liquidation Risk: Users' positions could become liquidatable immediately after withdrawing NFTs, even with minor price changes.
User Experience: Users may lose their collateral unexpectedly, leading to a poor experience and potential financial loss.
Tools Used
Manual code review.
Recommendations
Solution
Introduce a safety threshold higher than the liquidation threshold to ensure that withdrawing NFTs does not immediately make the position liquidatable. For example, use a 95% threshold instead of 90%.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.