Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Double-Scaling User Debt in StabilityPool

santechie21

Summary:

StabilityPool.liquidateBorrower() multiplies user debt by getNormalizedDebt() even though the debt is already usage-indexed, resulting in a doubled interest factor.

Vulnerability Details:

uint256 userDebt = lendingPool.getUserDebt(userAddress);
uint256 scaledUserDebt = WadRayMath.rayMul(userDebt, lendingPool.getNormalizedDebt());

getUserDebt() already returns debt scaled by the usage index; multiplying again squares the index, overestimating debt.

Impact:

Liquidations may fail or require too much CRVUSD, potentially locking user positions or leading to partial reverts.

Tools Used:

  • Manual review of usage index logic (DebtToken / LendingPool / StabilityPool)

Recommendations:

  • Remove the second multiplication by getNormalizedDebt(). Use userDebt directly if it’s already scaled.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

StabilityPool::liquidateBorrower double-scales debt by multiplying already-scaled userDebt with usage index again, causing liquidations to fail

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.