Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

No Call To liquidateNFT() Makes NFTs Stuck In StabilityPool

BBnDD

Vulnerability Details

liquidateNFT() can only be called by the StabilityPool to transfer an NFT from the StabilityPool to NFTLiquidator where it will be listed for sale.

function liquidateNFT(uint256 tokenId, uint256 debt) external {
>>> if (msg.sender != stabilityPool) revert OnlyStabilityPool();
>>> nftContract.transferFrom(msg.sender, address(this), tokenId);
tokenData[tokenId] = TokenData({
debt: debt,
auctionEndTime: block.timestamp + 3 days,
highestBid: 0,
highestBidder: address(0)
});
indexToken.mint(stabilityPool, debt);
emit NFTLiquidated(tokenId, debt);
emit AuctionStarted(tokenId, debt, tokenData[tokenId].auctionEndTime);
}

However, there is no invocation of the liquidateNFT() function making all NFTs send to StabilityPool stuck in it.

Flow of a Liquidation

  1. User is marked for liquidation

  2. StabilityPool calls finalizeLiquidation() in LendingPool and gets all of the user's NFTs

  3. StabilityPool calls liquidateNFT() in NFTLiquidator.sol and transfers the NFTs - this part does not happen

Impact

Liquidity Lockup: The protocol cannot liquidate NFTs, leading to bad debt accumulation.

Tools Used

manual review

Recommendations

Implement the logic for invoking liquidateNFT() in StabilityPool.sol.

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Liquidated RAACNFTs are sent to the StabilityPool by LendingPool::finalizeLiquidation where they get stuck

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.