Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Borrowers immediately have to pay interest as they are minted an incorrect amount

s4muraii77

Summary

Borrowers immediately have to pay interest as they are minted an incorrect amount

Vulnerability Details

When users borrow, we mint them like this:

uint256 amountToMint = amount + balanceIncrease;
_mint(onBehalfOf, amountToMint.toUint128());

If we imagine that balanceIncrease is 0, then we simply mint them amount which is the same amount of tokens we send to the borrower:

IRToken(reserve.reserveRTokenAddress).transferAsset(msg.sender, amount);

This results in the borrower immediately having to pay interest, even if he repays in the same second. If we see balanceOf() which equals the funds a borrower has to repay with interest:

function balanceOf(address account) public view override(ERC20, IERC20) returns (uint256) {
uint256 scaledBalance = super.balanceOf(account);
return scaledBalance.rayMul(ILendingPool(_reservePool).getNormalizedDebt());
}

We will see that we get the balanceOf() of the user which is the amount minted and then we apply the index. If the user borrows 100 tokens at an index of 1.5, then he will get minted 100 tokens but when he repays, he will immediately have to pay 100 * 1.5 = 150.

Impact

Borrowers immediately have to repay interest due to wrong values

Tools Used

Manual Review

Recommendations

When minting, mint the amount divided by the index

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

DebtToken::mint miscalculates debt by applying interest twice, inflating borrow amounts and risking premature liquidations

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.