`DebtToken::burn()` assumes a 1:1 between shares and amount
Summary
DebtToken::burn() burns an incorrect amount of shares
Vulnerability Details
Upon repaying a loan, DebtToken::burn() is called where this is a part of the code:
Then, let's see how the return values are used:
As seen, we use the first return value which is the amount value in burn() as the value to transfer to the RToken contract. Thus, the same value that is used to burn shares is also the amount used to repay the amount which is incorrect. This assumes that the shares and amount are 1:1 which is obviously not the case as interest accrues over time.
Impact
Wrong amount will be repaid
Tools Used
Manual Review
Recommendations
Very hard to give a recommendation as the whole logic is completely wrong
Lead Judging Commences
DebtToken::burn calculates balanceIncrease (interest) but never applies it, allowing borrowers to repay loans without paying accrued interest
Interest IS applied through the balanceOf() mechanism. The separate balanceIncrease calculation is redundant/wrong. Users pay full debt including interest via userBalance capping.
DebtToken::burn calculates balanceIncrease (interest) but never applies it, allowing borrowers to repay loans without paying accrued interest
Interest IS applied through the balanceOf() mechanism. The separate balanceIncrease calculation is redundant/wrong. Users pay full debt including interest via userBalance capping.
Appeal created
DebtToken::burn incorrectly burns amount (asset units) instead of amountScaled (token units), breaking token economics and interest-accrual mechanism
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.