No function to rescue ERC721, when liquidate position
Summary
When the StabilityPool liquidates a borrower's position, all NFTs from the position are sent to the StabilityPool. However, the StabilityPool does not have a function to withdraw these NFTs, resulting in them being permanently stuck in the contract.
Vulnerability Details
During the liquidation process, the StabilityPool calls lendingPool.finalizeLiquidation(userAddress), which transfers the borrower's NFTs to the StabilityPool. However, the StabilityPool contract lacks a mechanism to withdraw these NFTs. As a result, any NFTs transferred to the StabilityPool during liquidation cannot be recovered.
Impact
NFTs transferred to the StabilityPool during liquidation become permanently stuck in the contract. This leads to a loss of assets for the protocol, as there is no way to retrieve these NFTs.
Tools Used
Manual review
Recommendations
To resolve this issue, add a function to the StabilityPool contract that allows authorized parties (e.g., the owner or manager) to withdraw NFTs. This function should transfer the NFTs to a specified recipient address.
For example, implement the following function:
Lead Judging Commences
Liquidated RAACNFTs are sent to the StabilityPool by LendingPool::finalizeLiquidation where they get stuck
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.