Summary

In MErc20DelegateFixer :: repayBadDebtWithCash() function the user can repay the bad debt with cash for reducing the amount of bad debt in protocol.

Vulnerability Details

But in MErc20DelegateFixer :: repayBadDebtWithCash() function there is not any updation is done in the baddebt of that particular user .So that why user is interseted in repaying the bad debt amount because it will only reduce the baddebt which is the total sum of borrowed balance which is not returned by the users.

Impact

The impact is that not any user want to repay the baddebt because it will not improve it's account image by any type.

Tools Used

Manual review

Recommendations

The recommendation is to add a mapping which can track the bad debt of each user separately and can also reduce the baddebt for that particuar account which is repaying the baddebt with cash .

     mapping(address => uint256) badDebtOf;
    function repayBadDebtWithCash(uint256 amount) external nonReentrant {
    /// Checks and Effects
    badDebt = SafeMath.sub(badDebt, amount, "amount exceeds bad debt");
    // @audit
   badDebtOf[msg.sender] = SafeMath.sub(badDebtOf[msg.sender] , amount);
   EIP20Interface token = EIP20Interface(underlying);

    /// Interactions
    require(
        token.transferFrom(msg.sender, address(this), amount),
        "transfer in failed"
    );

    emit BadDebtRepayed(amount);

}