`DebtToken::burn` Incorrect Debt Token Burning Amount Allows Users to Repay Less Than Required
Summary
The DebtToken::burn function burns the unscaled amount when it should be burning the scaled amount allowing users to repay less than they should when interest has accrued on their debt.
Vulnerability Details
Inside DebtToken::burn when we call _burn we pass in the amount from the parameter, and this value is the unscaled version which does not account for any interest that has accrued, which in return when calling LendingPool::repay to pay off their debt, they won't suffer from any of the interest.
You can also see the event is expecting amountScaled to be burned.
Example:
User borrows 100 tokens (index = 1e27)
After interest accrues (index = 2e27), debt is worth 200 tokens
User tries to repay 50 tokens
Should burn 25 debt tokens (50/2 due to index doubling)
But burns 50 tokens instead, getting 2x value for their repayment
Impact
Users can repay their debt without properly accounting for accrued interest, allowing them to pay significantly less than they should. This leads to protocol value loss as interest payments are effectively discounted.
Tools Used
Foundry
Recommendations
Inside DebtToken::burn fix the call to _burn to pass in amountScaled like so:
Lead Judging Commences
DebtToken::burn incorrectly burns amount (asset units) instead of amountScaled (token units), breaking token economics and interest-accrual mechanism
DebtToken::burn incorrectly burns amount (asset units) instead of amountScaled (token units), breaking token economics and interest-accrual mechanism
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.