Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Incorrect Amount Used in Interest Rate & Liquidity Update

fromeo_016

Summary

A vulnerability in the updateInterestRatesAndLiquidity function results in incorrect calculations of interest rates and liquidity due to the use of an improperly scaled amount. This could lead to miscalculated borrower interest and an inaccurate representation of available liquidity.

Vulnerability Details

In ReserveLibrary.updateInterestRatesAndLiquidity, the following incorrect parameter is used in LendingPool::_repay and LendingPool::finalizeLiquidation:

In LendingPool::_repay

// Update liquidity and interest rates
ReserveLibrary.updateInterestRatesAndLiquidity(reserve, rateData, amountScaled, 0);

In LendingPool::finalizeLiquidation

// Update liquidity and interest rates
ReserveLibrary.updateInterestRatesAndLiquidity(reserve, rateData, amountScaled, 0);

updateInterestRatesAndLiquidity

/**
* @notice Updates the interest rates and liquidity based on the latest reserve state.
* @dev Should be called after any operation that changes the liquidity or debt of the reserve.
* @param reserve The reserve data.
* @param rateData The reserve rate parameters.
* @param liquidityAdded The amount of liquidity added (in underlying asset units).
* @param liquidityTaken The amount of liquidity taken (in underlying asset units).
*/
function updateInterestRatesAndLiquidity(ReserveData storage reserve,ReserveRateData storage rateData,uint256 liquidityAdded,uint256 liquidityTaken) internal {
// ... REST OF CODE

Why is This Incorrect?

  • The function expects liquidityAdded and liquidityTaken in underlying asset units.

  • amountScaled is in scaled debt units, which means it does not correctly represent the actual liquidity added.
    Using amountScaled miscalculates reserve interest rates and available liquidity, which can distort protocol economics.

Impact

  • Incorrect interest rate calculations leading to overcharging or undercharging borrowers.

  • Misallocated lender yield, affecting lender returns.

  • Inaccurate liquidity tracking, which could cause improper borrowing and lending decisions.

  • Potential financial losses due to miscalculated protocol economics.
    If exploited, this could result in financial inconsistencies, making the protocol unstable over time.

Tools Used

Manual Review

Recommendations

In LendingPool::_repay
Instead of amountScaled, the function should use amount, which represents the repayment in underlying asset units:

// Update liquidity and interest rates
- ReserveLibrary.updateInterestRatesAndLiquidity(reserve, rateData, amountScaled, 0);
+ ReserveLibrary.updateInterestRatesAndLiquidity(reserve, rateData, amount, 0);

In LendingPool::finalizeLiquidation

// Update liquidity and interest rates
- ReserveLibrary.updateInterestRatesAndLiquidity(reserve, rateData, amountScaled, 0);
+ ReserveLibrary.updateInterestRatesAndLiquidity(reserve, rateData, userDebt, 0);
Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

DebtToken::burn calculates balanceIncrease (interest) but never applies it, allowing borrowers to repay loans without paying accrued interest

Interest IS applied through the balanceOf() mechanism. The separate balanceIncrease calculation is redundant/wrong. Users pay full debt including interest via userBalance capping.

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

DebtToken::burn calculates balanceIncrease (interest) but never applies it, allowing borrowers to repay loans without paying accrued interest

Interest IS applied through the balanceOf() mechanism. The separate balanceIncrease calculation is redundant/wrong. Users pay full debt including interest via userBalance capping.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.