Borrowers Do Not Pay `balanceIncrease` in `LendingPool._repay()`
Summary
The DebtToken.burn() function returns the balanceIncrease, which represents the accrued borrow fees. However, the LendingPool._repay() function only requires borrowers to repay the burned debt amount (amount) and does not account for the balanceIncrease. This allows borrowers to avoid paying borrow fees, resulting in a loss of revenue for the protocol.
Vulnerability Details
The DebtToken.burn() function calculates the balanceIncrease, which represents the accrued borrow fees due to interest.
However, the LendingPool._repay() function only requires borrowers to repay the amount (burned debt amount) and ignores the balanceIncrease.
This allows borrowers to repay their debt without paying the accrued borrow fees, effectively bypassing the protocol's fee mechanism.
Impact
Borrowers benefit from not paying the fees they owe.
Tools Used
vscode
Recommendations
Update the LendingPool._repay() function to include the balanceIncrease in the repayment amount. Borrowers should repay both the principal (amount) and the accrued fees (balanceIncrease).
Lead Judging Commences
DebtToken::burn calculates balanceIncrease (interest) but never applies it, allowing borrowers to repay loans without paying accrued interest
Interest IS applied through the balanceOf() mechanism. The separate balanceIncrease calculation is redundant/wrong. Users pay full debt including interest via userBalance capping.
DebtToken::burn calculates balanceIncrease (interest) but never applies it, allowing borrowers to repay loans without paying accrued interest
Interest IS applied through the balanceOf() mechanism. The separate balanceIncrease calculation is redundant/wrong. Users pay full debt including interest via userBalance capping.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.