Debt interest is deleted upon repaying instead of accruing it
Summary
Debt interest is deleted upon repaying instead of accruing it
Vulnerability Details
Upon calling DebtToken::burn(), we have the following code:
If we assume that the variables used are correct (they're not), we will note that the idea is to get the debt increase of the user and afterwards we store the new index value. The issue is that balanceIncrease is unused anywhere which means that no interest was actually accrued and the borrower can, essentially, skip repaying the interest.
If we imagine the user has a balance of 100 (scaled balance even though userBalance is not scaled which is wrong) and the stored index is 1 while the current one is 1.5, then he has to pay 50 assets of interest which we will simply skip.
Impact
Loss of funds for suppliers
Tools Used
Manual Review
Recommendations
Use the balanceIncrease value
Lead Judging Commences
DebtToken::burn calculates balanceIncrease (interest) but never applies it, allowing borrowers to repay loans without paying accrued interest
Interest IS applied through the balanceOf() mechanism. The separate balanceIncrease calculation is redundant/wrong. Users pay full debt including interest via userBalance capping.
DebtToken::burn calculates balanceIncrease (interest) but never applies it, allowing borrowers to repay loans without paying accrued interest
Interest IS applied through the balanceOf() mechanism. The separate balanceIncrease calculation is redundant/wrong. Users pay full debt including interest via userBalance capping.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.