Collateral and debt units are inconsistent
Summary
This vulnerability arises from the unit mismatch between the user’s collateral value and their total debt calculation when borrowing assets. The user’s collateral value is typically based on market prices (e.g., ETH or USD), while their debt is calculated using the scaledDebtBalance and adjusted by the usageIndex. If these values are not correctly aligned in terms of their units, it can lead to an inaccurate comparison of whether the user has enough collateral to cover their debt.
Vulnerability Details
collateralValue represents the market value of the user's collateral, while userTotalDebt represents the user's total debt. The units of these two values may not be the same, which can lead to potential risks, especially if the system does not ensure that both values are converted to the same unit before comparison.
Why this is a vulnerability:
Inconsistent units: collateralValue is usually expressed in some market unit (such as ETH or USD), while userTotalDebt may be expressed in debt tokens. Therefore, if the units are not unified, the comparison between these two values is meaningless and may lead to wrong judgments.
Impact
Because debt and collateral units are not aligned, the system could allow users to borrow more than their collateral is actually worth.
Tools Used
Manual review
Recommendations
Standardized unit conversion: Ensure that all comparisons involving collateral and debt amounts are performed before unit conversion. By standardizing the value of all collateral and debt to the same unit, logical errors caused by inconsistent units can be avoided.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.