Submission Details
Severity:
Incorrect debt amount calculation during liquidation in the stability pool
Summary
The debt amount is calculated as:
function liquidateBorrower(
address userAddress
) external onlyManagerOrOwner nonReentrant whenNotPaused {
// Get the user's debt from the LendingPool.
uint256 userDebt = lendingPool.getUserDebt(userAddress);
//@audit use userDebt
uint256 scaledUserDebt = WadRayMath.rayMul(
userDebt,
lendingPool.getNormalizedDebt()
);
However, the user debt already comes updated from the lending pool according to the last stored index. In order to properly cover the user debt, this function should update the usage index for the accrued interest since the last update and the second multiplication should not be performed.
Vulnerability Details
Impact
Tools Used
Manual review.
Recommendations
Update the index before calculating the debt and avoid duplicated multiplication.
Updates
Lead Judging Commences
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
StabilityPool: liquidateBorrower should call lendingPool.updateState earlier, to ensure the updated usageIndex is used in calculating the scaledUserDebt
StabilityPool::liquidateBorrower double-scales debt by multiplying already-scaled userDebt with usage index again, causing liquidations to fail
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.