ETH Transfer to StabilityPool Causes Auction Failure in NFTLiquidator.sol
Summary
The buyBackNFT() and endAuction() functions in NFTLiquidator.sol are designed to handle the liquidation and sale of NFTs through an auction mechanism. Both functions attempt to send ETH to StabilityPool, which lacks a receive() or fallback() function. This causes the ETH transfer to fail and revert the transaction, resulting in NFTs getting permanently stuck in NFTLiquidator.
Vulnerability Details
ETH Transfer to StabilityPool Reverts Due to Missing receive()/fallback() Function
Code Snippets:
In buyBackNFT():
In endAuction():
The StabilityPool contract does not have a receive() or fallback() function to accept ETH. As a result, these transfers always revert.
Impact
Liquidity Lockup: The protocol cannot liquidate NFTs effectively, leading to bad debt accumulation.
NFTs get permanently locked in NFTLiquidator.sol, preventing users from reclaiming them.
ETH cannot be transferred to StabilityPool, disrupting the economic flow of the protocol.
Tools used
manual review
Recommendations
Convert the ETH into crvUSD tokens then deposit them in LendingPool.sol and send the minted RTokens to the StabilityPool
Lead Judging Commences
StabilityPool misses receive/fallback breaking the integration with NFTLiquidator
StabilityPool misses receive/fallback breaking the integration with NFTLiquidator
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.