Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

`StabilityPool::liquidateBorrower()` calculates the user's debt incorrectly

s4muraii77

Summary

StabilityPool::liquidateBorrower() calculates the user's debt incorrectly

Vulnerability Details

To calculate scaledUserDebt, we have the following code:

uint256 userDebt = lendingPool.getUserDebt(userAddress);
uint256 scaledUserDebt = WadRayMath.rayMul(userDebt, lendingPool.getNormalizedDebt());

The issue is that getUserDebt() calculates the debt with interest included (due to the index multiplication):

function getUserDebt(address userAddress) public view returns (uint256) {
UserData storage user = userData[userAddress];
return user.scaledDebtBalance.rayMul(reserve.usageIndex);
}

Then, we apply the index again which makes the amoun higher than supposed to as we are applying the index twice. Then, liquidations can be impossible due to this check:

if (crvUSDBalance < scaledUserDebt) revert InsufficientBalance();

As the scaledUserDebt is inflated incorrectly, it can fail making liquidations impossible in cases they should be possible.

Impact

Liquidations will revert incorrectly

Tools Used

Manual Review

Recommendations

Do not apply the index twice

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

StabilityPool::liquidateBorrower double-scales debt by multiplying already-scaled userDebt with usage index again, causing liquidations to fail

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.