Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Double Debt Index Multiplication in Burn Function Will Cause Excessive Token Burn

victortheoracle

Summary

In the DebtToken's burn function, the accrued interest adjustment is calculated by applying the debt index twice on an already indexed balance, leading to an excessive token burn. This may force users to burn more tokens than they should, causing repayment discrepancies.

Vulnerability Details

uint256 userBalance = balanceOf(from);

uint256 balanceIncrease = 0;

if (_userState[from].index != 0 && _userState[from].index < index) {

uint256 borrowIndex = ILendingPool(_reservePool).getNormalizedDebt();

balanceIncrease = userBalance.rayMul(borrowIndex) - userBalance.rayMul(_userState[from].index);

The burn function retrieves the user’s balance using the overridden balanceOf method, which already includes the normalized debt. It then computes the accrued interest by multiplying this balance by both the new and old indexes. This redundant multiplication inflates the calculated balanceIncrease, thereby overstating the debt to be repaid.

Impact

Excessive Token Deduction: Users could lose more tokens during repayment than intended, misaligning their debt obligations.
Repayment Mismatch: Over-calculation of interest may lead to discrepancies in the repayment process and overall debt tracking.

Tools Used

Manual Review

Recommendations

Correct the accrued interest calculation by using the raw balance from the underlying ERC20 implementation. For instance, change the calculation as follows:

uint256 rawUserBalance = super.balanceOf(from);

if (_userState[from].index != 0 && _userState[from].index < index) {

uint256 borrowIndex = ILendingPool(_reservePool).getNormalizedDebt();

balanceIncrease = rawUserBalance.rayMul(borrowIndex) - rawUserBalance.rayMul(_userState[from].index);

}

This modification ensures the debt index is applied only once, preventing an exaggerated token burn.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

DebtToken::burn calculates balanceIncrease (interest) but never applies it, allowing borrowers to repay loans without paying accrued interest

Interest IS applied through the balanceOf() mechanism. The separate balanceIncrease calculation is redundant/wrong. Users pay full debt including interest via userBalance capping.

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

DebtToken::burn calculates balanceIncrease (interest) but never applies it, allowing borrowers to repay loans without paying accrued interest

Interest IS applied through the balanceOf() mechanism. The separate balanceIncrease calculation is redundant/wrong. Users pay full debt including interest via userBalance capping.

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!