Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Incorrect Interest Scaling in `burn` Function Allows Borrowers to Underpay Debt, Leading to Protocol Insolvency

daniel526

The burn function incorrectly calculates debt repayment by using an outdated _userState[from].index before updating it to the latest index. This results in an incorrect computation of balanceIncrease, which represents the accrued interest. The function fetches borrowIndex from ILendingPool(_reservePool).getNormalizedDebt() after performing calculations based on the outdated index, creating a discrepancy between expected and actual debt repayments. To add, amountScaled = amount.rayDiv(index); incorrectly reduces the repayment amount due to improper scaling, potentially causing debt underpayment. The incorrect execution flow is evident in the following code snippet:

uint256 balanceIncrease = 0;

if (_userState[from].index != 0 && _userState[from].index < index) {

uint256 borrowIndex = ILendingPool(_reservePool).getNormalizedDebt();

balanceIncrease = userBalance.rayMul(borrowIndex) - userBalance.rayMul(_userState[from].index);

}

_userState[from].index = index.toUint128();

uint256 amountScaled = amount.rayDiv(index); // @audit Incorrect scaling reduces repayment

Since amountScaled is calculated before properly updating _userState[from].index, it may be smaller than the actual debt owed, allowing borrowers to repay less than they should. This results in accumulated unpaid interest, leading to a discrepancy between recorded and actual debt.

Impact

Borrowers can underpay their debt, leading to an increasing gap between total outstanding debt and actual repayments, which over time causes protocol insolvency as unpaid interest accumulates.

Mitigation:

Update _userState[from].index before computing balanceIncrease, fetch borrowIndex first, and use borrowIndex instead of index when calculating amountScaled.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

DebtToken::burn calculates balanceIncrease (interest) but never applies it, allowing borrowers to repay loans without paying accrued interest

Interest IS applied through the balanceOf() mechanism. The separate balanceIncrease calculation is redundant/wrong. Users pay full debt including interest via userBalance capping.

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

DebtToken::burn calculates balanceIncrease (interest) but never applies it, allowing borrowers to repay loans without paying accrued interest

Interest IS applied through the balanceOf() mechanism. The separate balanceIncrease calculation is redundant/wrong. Users pay full debt including interest via userBalance capping.

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!