Incorrect Debt Balance Update in _repay() function
Vulnerability Details
The debt repayment process contains a critical accounting error where the protocol incorrectly updates users' scaled debt balances using raw asset amounts instead of interest-scaled values. This occurs due to:
Wrong Value Type Application
Uses raw asset amount (amountBurned) for scaled balance updates:
Impact
Immediate Consequences
-
Permanent Accounting Corruption
Users appear to have negative debt positions
Total protocol debt becomes unreliable
-
Fund Locking
Users cannot fully repay loans due to arithmetic errors
-
Liquidation System Failure
Liquidators can't properly close positions with corrupted debt data
Recommendations
Fix Balance Update Logic
Lead Judging Commences
LendingPool::borrow tracks debt as user.scaledDebtBalance += scaledAmount while DebtToken mints amount+interest, leading to accounting mismatch and preventing full debt repayment
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.