A lender can liquidate a borrower's collateral immediately by calling updateLoanParams() in the NFTPairWithOracle contract where the ltvBPS for the params struct is set to 0. This bypasses the checks to make sure that the terms are favourable to the borrower.
This allows the lender to then call removeCollateral and steal the collateral from the borrower as the "max" loan has now been to set to 0.
This means that a borrower can almost instantly lose their collateral when borrowing assets and therefore nullifying the primary service of the contract.
Lines of code
https://github.com/code-423n4/2022-04-abranft/blob/5cd4edc3298c05748e952f8a8c93e42f930a78c2/contracts/NFTPairWithOracle.sol#L205-L210 https://github.com/code-423n4/2022-04-abranft/blob/5cd4edc3298c05748e952f8a8c93e42f930a78c2/contracts/NFTPairWithOracle.sol#L288
Vulnerability details
Impact
A lender can liquidate a borrower's collateral immediately by calling
updateLoanParams()
in the NFTPairWithOracle contract where theltvBPS
for theparams
struct is set to 0. This bypasses the checks to make sure that the terms are favourable to the borrower.This allows the lender to then call
removeCollateral
and steal the collateral from the borrower as the "max" loan has now been to set to 0.This means that a borrower can almost instantly lose their collateral when borrowing assets and therefore nullifying the primary service of the contract.
Proof of Concept
A POC script can be found here
Recommended Mitigation Steps
Change
params.ltvBPS <= cur.ltvBPS
toparams.ltvBPS >= cur.ltvBPS
in here