Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Misordered Return Variables from DebtToken.burn Leading to Incorrect Variable Use

kkk

Summary

The DebtToken contract’s burn function returns a tuple in the order (amount, totalSupply(), amountScaled, balanceIncrease). However, in the LendingPool contract’s _repay function, the returned values are destructured in a different order, which causes the variables to be misinterpreted. This misordering leads to improper updates of the user’s debt balance during repayment.

Vulnerability Details

Location: DebtToken.burn (return order) and LendingPool._repay function (variable assignment)

Impact: Incorrect variable interpretation in the repayment process, potentially resulting in inaccurate debt balance updates

• Return Order in DebtToken.burn:

The burn function is implemented as follows:

return (amount, totalSupply(), amountScaled, balanceIncrease);

• Variable Destructuring in LendingPool._repay:

The _repay function incorrectly assumes the return order as:

(uint256 amountScaled, uint256 newTotalSupply, uint256 amountBurned, uint256 balanceIncrease) =

IDebtToken(reserve.reserveDebtTokenAddress).burn(onBehalfOf, amount, reserve.usageIndex);

This causes:

• The first returned value amount to be interpreted as amountScaled.

• Subsequent values are similarly misassigned.

Impact

• Inaccurate Debt Accounting: The misinterpretation of return values can result in the wrong debt amounts being deducted, leading to discrepancies in the user’s debt balance.

Tools Used

Recommendations

If the intended return order is (amount, totalSupply(), amountScaled, balanceIncrease), then update the _repay function to destructure the tuple accordingly:

(uint256 amountRepaid, uint256 newTotalSupply, uint256 amountScaled, uint256 balanceIncrease) =

IDebtToken(reserve.reserveDebtTokenAddress).burn(onBehalfOf, amount, reserve.usageIndex);

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

DebtToken::burn calculates balanceIncrease (interest) but never applies it, allowing borrowers to repay loans without paying accrued interest

Interest IS applied through the balanceOf() mechanism. The separate balanceIncrease calculation is redundant/wrong. Users pay full debt including interest via userBalance capping.

DebtToken::burn returns items in the wrong order

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

DebtToken::burn calculates balanceIncrease (interest) but never applies it, allowing borrowers to repay loans without paying accrued interest

Interest IS applied through the balanceOf() mechanism. The separate balanceIncrease calculation is redundant/wrong. Users pay full debt including interest via userBalance capping.

DebtToken::burn returns items in the wrong order

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!