Submission Details
Severity:
Repayment Logic Mismatch in LendingPool
Summary:
_repay() in LendingPool clamps amount to actualRepayAmount but still calls DebtToken.burn(...) with the original amount, relying on the DebtToken to clamp again.
Vulnerability Details:
uint256 actualRepayAmount = (amount > userScaledDebt) ? userScaledDebt : amount;
( uint256 amountScaled, ... ) = debtToken.burn(onBehalfOf, amount, reserve.usageIndex);
Mismatch can create confusion or dust leftover, as the final burn amount is decided internally by DebtToken.
Impact:
Not exploitable in typical scenarios, but could lead to partial reverts or leftover debt if misused.
Tools Used:
Manual code reading
Tracing repay flow (
LendingPool,DebtToken)
Recommendations:
Pass the properly capped
actualRepayAmounttodebtToken.burn(...)for clarity and to avoid partial dust.
Updates
Lead Judging Commences
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
LendingPool::_repay emits Repay event with capped actualRepayAmount instead of the real amountScaled value that was transferred, causing misleading event data
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
LendingPool::_repay emits Repay event with capped actualRepayAmount instead of the real amountScaled value that was transferred, causing misleading event data
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.