Improper Loan Record Deletion Causing Both Healthy and Unhealthy NFTs To Be Deleted
Summary
The function deletes all NFT loan records using delete user.nftTokenIds, removing tracking information for all loans regardless of their status.
Vulnerability Details
This single line:
Erases all NFT loan records
Removes tracking capability for active loans
Destroys historical data
Makes recovery or dispute resolution impossible
```solidity
delete user.nftTokenIds;
```
Impact
Loss of loan tracking information
Accounting system inconsistencies
Impossible to verify loan histories
Difficulty in handling disputes
Complex recovery scenarios
Potential double-liquidation risks
Tools Used
Manual review
Recommendations
There are multiple ways to mitigate this but first if the protocol intend not to keep track of the liquidated NFT, they should delete only the liquidated NFT not all the NFTs owned by the user. If they intend to keep track of liquidated NFTs they should be a loan tracking struct to keep track of all liquidated and non-liquidated NFTs
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.