The LendingPair.withdrawUniPosition function allows the user to withdraw their UniswapV3 pool position (NFT) again.
As the Uniswap position acts as collateral in the protocol, a health check is performed afterwards.
However, it does not check the current debt of the caller as it does not accrue the debt for both tokens first.
Impact
In the worst case, in low-activity markets, it could happen that debt has not accrued for a long time and the current debt is significantly higher than the current recorded debt in totalDebtAmount.
An account with a de-facto negative health ratio if the debt was accrued could still withdraw their collateral NFT instead of having to repay their debt first.
Recommendation
Accrue the debt for both tokens first in LendingPair.withdrawUniPosition.
Handle
cmichel
Vulnerability details
The
LendingPair.withdrawUniPositionfunction allows the user to withdraw their UniswapV3 pool position (NFT) again. As the Uniswap position acts as collateral in the protocol, a health check is performed afterwards.However, it does not check the current debt of the caller as it does not
accruethe debt for both tokens first.Impact
In the worst case, in low-activity markets, it could happen that debt has not accrued for a long time and the current debt is significantly higher than the current recorded debt in
totalDebtAmount. An account with a de-facto negative health ratio if the debt was accrued could still withdraw their collateral NFT instead of having to repay their debt first.Recommendation
Accrue the debt for both tokens first in
LendingPair.withdrawUniPosition.