Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

NFTs from liquidation will remain stuck in the Stability pool

tigerfrake

Summary

The Stability pool does not inherit any functionality for handling ERC721 tokens. However, during liquidation, all of the user's NFTs are transfered to this contract. This means that there will be no means to handle them once received.

Vulnerability Details

The LendingPool contract is defined as follows:

contract LendingPool is ILendingPool, Ownable, ReentrancyGuard, ERC721Holder, Pausable {

This contract inherits from ERC721Holder which gives it the capabilities to interact witrh ERC721 tokens. As such, uers are able to deposit their NFTs to this contract as collateral:

user.nftTokenIds.push(tokenId);

user.depositedNFTs[tokenId] = true;

>> raacNFT.safeTransferFrom(msg.sender, address(this), tokenId);

Now, during liquidation, these NFTs deposited by the user are transfered to the Stability pool:

for (uint256 i = 0; i < user.nftTokenIds.length; i++) {

uint256 tokenId = user.nftTokenIds[i];

user.depositedNFTs[tokenId] = false;

// @audit-issue NFTs will be stuck in stabilityPoolL

>> raacNFT.transferFrom(address(this), stabilityPool, tokenId);

}

Here is how stabilityPool is defined:

contract StabilityPool is IStabilityPool, Initializable, ReentrancyGuard, OwnableUpgradeable, PausableUpgradeable {

None of the inherited contracts posess the configs for handling NFTs. Also, notice that the transfer is performed by transferFrom() which does not check for receiver compatibility.

Impact

As such, these NFTs will be transfered without any reverts. However, there will be no means to interact with them once received therefore stuck.

Tools Used

Manual Review

Recommendations

Inherit the ERC721Holder contract to the Stability pool to enable it to handle NFTs:

+ import "@openzeppelin/contracts/token/ERC721/utils/ERC721Holder.sol";

- contract StabilityPool is IStabilityPool, Initializable, ReentrancyGuard, OwnableUpgradeable, PausableUpgradeable {

+ contract StabilityPool is IStabilityPool, Initializable, ReentrancyGuard, OwnableUpgradeable, PausableUpgradeable, ERC721Holder {

Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Liquidated RAACNFTs are sent to the StabilityPool by LendingPool::finalizeLiquidation where they get stuck

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.