[Lines of code](https://github.com/with-backed/papr/blob/9528f2711ff0c1522076b9f93fba13f88d5bd5e6/src/PaprController.sol#L264-L294) # Vulnerability details ## Impact When there is a reservoir oracle message with the price of the NFT equal to zero, the debt of a vault will be reset in the PaprController.purchaseLiquidationAuctionNFT () function when a NFT is bought in an auction. So the borrower can now withdraw all other NFTs in the vault that he could previously not withdraw because of the debt. In essence this means that a zero price allows defaulted borrowers to bypass paying back their debt. This scenario of course requires that there is a zero price oracle message. It is hard to assess how likely this is. However there are multiple reasons for why this scenario should be considered and it should be made sure that the protocol can handle it: 1. The protocol can support less liquid NFTs making a zero price more likely 2. If the protocol cannot handle a zero price, the reservoir oracle becomes a single point of failure and even one bad price can mess up the protocol 3. Regardless of the price the protocol should behave in a consistent manner, i.e. liquidate NFTs if debt is not backed by collateral It was assessed with the sponsor that they want to protect against this scenario where there exists a zero price. The expected behavior for when a zero price occurs is for all vaults that hold debt to become liquidatable. Currently however only one NFT in each vault will be liquidated. The other NFTs can then be withdrawn be the borrower. ## Proof of Concept 1. Assume there is already an auction for NFT1 going on because Borrower1 has not enough collateral to back his debt 2. Now there is a reservoir oracle message with a zero price 3. This oracle message is passed to the PaprController.purchaseLiquidationAuctionNFT function () when the NFT is bought (Borrower1 might buy the NFT himself to reset his debt). Since the oracle price is zero, collateralValueCached will be equal to zero (regardless of the NFT count in the vault) (): uint256 collateralValueCached = underwritePriceForCollateral( auction.auctionAssetContract, ReservoirOracleUnderwriter.PriceKind.TWAP, oracleInfo ) * _vaultInfo[auction.nftOwner][auction.auctionAssetContract].count; Thereby isLastCollateral is true (): bool isLastCollateral = collateralValueCached == 0; And the debt of the vault is reset to 0 (): if (isLastCollateral && remaining != 0) { /// there will be debt left with no NFTs, set it to 0 _reduceDebtWithoutBurn(auction.nftOwner, auction.auctionAssetContract, remaining); } 4. Now Borrower1 can call PaprController.removeCollateral () and withdraw all his other NFTs from the vault ## Tools Used VSCode ## Recommended Mitigation Steps bool isLastCollateral should be true only when the actual NFT count in the vault is zero, not when collateralValueCached == 0. So the PaprController.purchaseLiquidationAuctionNFT function should be changed like this: ) external override { + uint256 nftCount = _vaultInfo[auction.nftOwner][auction.auctionAssetContract].count; uint256 collateralValueCached = underwritePriceForCollateral( auction.auctionAssetContract, ReservoirOracleUnderwriter.PriceKind.TWAP, oracleInfo - ) * _vaultInfo[auction.nftOwner][auction.auctionAssetContract].count; - bool isLastCollateral = collateralValueCached == 0; + ) * nftCount; + bool isLastCollateral = nftCount == 0; uint256 debtCached = _vaultInfo[auction.nftOwner][auction.auctionAssetContract].debt; uint256 maxDebtCached = isLastCollateral ? debtCached : _maxDebt(collateralValueCached, updateTarget()); --- The text was updated successfully, but these errors were encountered: All reactions