Pool balance is decremented twice in `refinance()` leading to the tokens getting stuck
Summary
The refinance() method of the Lender contract allows the borrower to transfer his loan to another specified pool. As a result of this method, the old pool's balance is increased by loan.debt + lenderInterest, and the new pool's balance is decreased by debt. However, the operation of deducting debt from the balance of the new pool is executed twice, which will lead to wrong accounting and locking the tokens in the protocol.
Vulnerability Details
The debt is deducted from the balance of the new pool in the following lines:
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L636
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L698
As a result, the balance of the new pool will be decremented by 2 * debt, while only debt amount is actually borrowed by the borrower. The extra debt will be locked in the contract without any legitimate way to retrieve it.
Impact
Tokens get locked forever in the contract, wrong accounting
Tools Used
Manual review
Recommendations
Remove the following line from the code:
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L698
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.