Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

The debt increases incorrectly when a user borrows

s4muraii77

Summary

The debt increases incorrectly when a user borrows

Vulnerability Details

Whenever a user borrows, we have the following code:

uint256 scaledBalance = balanceOf(onBehalfOf);
bool isFirstMint = scaledBalance == 0;
uint256 balanceIncrease = 0;
if (_userState[onBehalfOf].index != 0 && _userState[onBehalfOf].index < index) {
balanceIncrease = scaledBalance.rayMul(index) - scaledBalance.rayMul(_userState[onBehalfOf].index);
}

It aims to accrue debt, but it is done incorrectly as balanceOf() already returns the amount with the accrued debt:

function balanceOf(address account) public view override(ERC20, IERC20) returns (uint256) {
uint256 scaledBalance = super.balanceOf(account);
return scaledBalance.rayMul(ILendingPool(_reservePool).getNormalizedDebt());
}

Thus, a wrong scaledBalance is used for the computation which leads to an inflated interest for the borrower (upon borrowing for a second time as otherwise there would be no interest for him). Scaled balance is supposed to be the balance without the index multiplication but it holds a wrong value as balanceOf() does not actually return the scaled balance.

Note that this is a different finding from the one in burn() as while the issues are similar, they are in different functions and fixing one does not fix the other.

Impact

Borrowers will pay more interest.

Tools Used

Manual Review

Recommendations

Use the scaled balance instead

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

DebtToken::mint miscalculates debt by applying interest twice, inflating borrow amounts and risking premature liquidations

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.