Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

DoS: NFTs Can Be Permanently Locked When House Price Is Set To Zero

0x180db

Summary

A denial of service vulnerability exists in the withdrawNFT function where if the oracle sets a house price to 0, any attempt to withdraw NFTs from the lending pool will revert, effectively locking user's NFTs in the contract.

Vulnerability Details

The vulnerability occurs in the following sequence:

  1. A user mints NFTs with IDs 0 and 1 and deposits them as collateral in the lending pool

  2. The oracle sets the house price of token ID 1 to 0 through the setHousePrice function

  3. When attempting to withdraw any NFT through withdrawNFT, the function calls getUserCollateralValue, which call getNFTPrice for any deposited NFTs and reverts if the price is 0

  4. This causes all withdrawNFT calls to revert, locking the NFTs in the contract

Impact

  • Users cannot withdraw their NFTs from the lending pool if any of their deposited NFTs has a price of 0

  • This effectively locks user collateral in the contract indefinitely

Tools Used

  • Manual code review

  • Performing formal verification with Quint

Recommendations

  1. Add validation in the oracle's setHousePrice function to prevent setting prices to 0:

function setHousePrice(uint256 _tokenId, uint256 _amount) external {
require(_amount > 0, "Price cannot be zero");
...
}

  1. Alternatively, modify getNFTPrice to handle zero prices gracefully:

function getNFTPrice(uint256 tokenId) public view returns (uint256) {
(uint256 price, uint256 lastUpdateTimestamp) = priceOracle.getLatestPrice(tokenId);
if (price == 0) {
return 1; // Return minimal value instead of reverting
}
return price;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago
Submission Judgement Published
Invalidated
Reason: Too generic

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.