Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

The borrower's debt to repay is increased incorrectly

s4muraii77

Summary

The borrower's debt to repay is increased incorrectly

Vulnerability Details

When a user repays, we call DebtToken::burn():

uint256 userBalance = balanceOf(from);
uint256 balanceIncrease = 0;
if (_userState[from].index != 0 && _userState[from].index < index) {
uint256 borrowIndex = ILendingPool(_reservePool).getNormalizedDebt();
balanceIncrease = userBalance.rayMul(borrowIndex) - userBalance.rayMul(_userState[from].index);
amount = amount;
}
_userState[from].index = index.toUint128();

The code above aims to accrue the interest he has to repay based on the current index and his cached index. The issue is that the balanceOf() call already gets the amount with accrued interest:

function balanceOf(address account) public view override(ERC20, IERC20) returns (uint256) {
uint256 scaledBalance = super.balanceOf(account);
return scaledBalance.rayMul(ILendingPool(_reservePool).getNormalizedDebt());
}

This means that we are doing a weird calculation, let's imagine the cached index is 1 and the current one is 1.5 and the user has a scaled balance of 100. balanceOf() would return 150 (150 * 1.5), then we would do 150 * 1.5 - 150 * 1 = 75 which means that the added interest is supposed to be 75, however that is incorrect as the index went up 50%, the user's debt must also increase by 50% to a total of 150, essentially the balanceOf() value is correct.

NOTE: balanceIncrease is not even used afterwards which makes the bug not actually occur but that is a completely separate bug, here the bug is about the fact that the way to compute the accrued interest is completely incorrect which will occur as soon as the bug that balanceIncrease is unused is fixed. A lot of that will happen during the contest as the logic is infected with bugs and each bug makes another bug not actually happen.

Impact

Interest accrued incorrectly, loss of funds for the borrower

Tools Used

Manual Review

Recommendations

Either use the scaled balance for the calculations or simply use the balanceOf() result

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

DebtToken::burn calculates balanceIncrease (interest) but never applies it, allowing borrowers to repay loans without paying accrued interest

Interest IS applied through the balanceOf() mechanism. The separate balanceIncrease calculation is redundant/wrong. Users pay full debt including interest via userBalance capping.

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

DebtToken::burn calculates balanceIncrease (interest) but never applies it, allowing borrowers to repay loans without paying accrued interest

Interest IS applied through the balanceOf() mechanism. The separate balanceIncrease calculation is redundant/wrong. Users pay full debt including interest via userBalance capping.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.