Each subsequent loan imposes an additional fee that should not be there
Summary
User might borrow tokens and this is fine, but every time user take another loan, he is charged with an additional fee which is proportional to current debt. This shouldn't happen because the debt token already increases with usageIndex (the balanceOf function multiplies the user's balance by the normalized debt), so this fee shouldn't exist. But even if this were the case, it could easily be bypassed by simply paying off the debt and then borrowing an larger amount.
Vulnerability Details
The first time user borrows, this function mints tokens for the user, which is fine because the balanceIncrease will be 0. But the second time user borrows, his debt increases according to some strange formula.
-
User borrows 100 tokens at usageIndex 1.0
-
usageIndex increases to 1.1, so user has 110 usd in debt.
-
The same user borrows 1000 tokens at usageIndex 1.1
(line 14): balanceIncrease = 110 * 1.1 - 110 * 1.0 = 11
-
So just by borrowing his debt increases not by 1000, but by 1011 and is equal to 1121
For some reason the user has to pay 11 tokens more than he should.
User could also pay back his debt (110) and then borrow 1110 tokens again, this way he would be only 1110 tokens in debt. Because when borrowing scaledBalance would be equal to 0.
Impact
User gets more debt tokens that he should, which means he has to pay more for his previous borrows.
Tools Used
Manual Review
Recommendations
My quess is this is a leftover after some refactor, so balanceIncrease should be removed
Lead Judging Commences
DebtToken::mint miscalculates debt by applying interest twice, inflating borrow amounts and risking premature liquidations
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.