The refinance
function in the provided smart contract allows borrowers to refinance existing loans to new offers using a pool of funds. However, there is a potential issue related to loss of precision in the fee calculation, which may lead to incorrect fee values and financial discrepancies during the loan refinancing process.
Within the refinance
function, the vulnerability arises in the fee calculation step, where the borrower's fee is determined based on the difference between the new debt amount (debt
) and the calculated amount to be paid (debtToPay
). The code snippet in question is as follows:
The vulnerability stems from the possibility of an overflow or loss of precision when performing the intermediate calculation (borrowerFee * (debt - debtToPay)
). If the intermediate result exceeds the maximum representable value for a uint256
, the subsequent division by 10000
could produce an incorrect fee value.
The impact of this vulnerability is that borrowers may be charged incorrect or unexpected fees during the loan refinancing process, leading to financial losses or discrepancies between the borrower's expectation and the actual fee charged.
Manual
Use fixed-point arithmetic to handle the intermediate calculations. Fixed-point arithmetic involves representing fractional values with a fixed number of decimal places.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.