Submission Details
Severity:
Wrong debt tokens accounting in borrow() causes repay() to revert in certain cases
Summary
When borrowing from the Lending Pool, the function calls DebtToken.mint() in order to mint the debt tokens to the user.
(bool isFirstMint, uint256 amountMinted, uint256 newTotalSupply) = IDebtToken(reserve.reserveDebtTokenAddress).mint(msg.sender, msg.sender, amount, reserve.usageIndex);
If we take a look at DebtToken.mint()'s implementation, we can see that theres logic for calculating a balance increase for the user if the usageIndex has increased from before.
if (_userState[onBehalfOf].index != 0 && _userState[onBehalfOf].index < index) {
š balanceIncrease = scaledBalance.rayMul(index) - scaledBalance.rayMul(_userState[onBehalfOf].index);
}
ā
_userState[onBehalfOf].index = index.toUint128();
ā
uint256 amountToMint = amount + balanceIncrease;
ā
_mint(onBehalfOf, amountToMint.toUint128());
Vulnerability Details
The problem is that balanceIncrease is accounted for when updating the user's scaledDebtBalance in the LendingPool contract.
š uint256 scaledAmount = amount.rayDiv(reserve.usageIndex);
ā
// Mint DebtTokens to the user (scaled amount)
(bool isFirstMint, uint256 amountMinted, uint256 newTotalSupply) = IDebtToken(reserve.reserveDebtTokenAddress).mint(msg.sender, msg.sender, amount, reserve.usageIndex);
ā
// Transfer borrowed amount to user
IRToken(reserve.reserveRTokenAddress).transferAsset(msg.sender, amount);
ā
š user.scaledDebtBalance += scaledAmount;
Impact
This creates an inconsistency between DebtToken.balanceOf(user) and LendingPool.user.scaledDebtBalance which makes repay() revert when trying to repay the whole debt.
Infact even the user specifies the exact amount of dept to repay (user.scaledDebtBalance), the function will burn all of user's debt tokens but leave him with scaledDebtBalance > 0;
Proof Of Concept
Click to reveal PoC
Place the following test case in `LendingPool.test.js` below `describe("Borrow and Repay"`:it.only("should showcase inconsistency", async function () {
const borrowAmount = ethers.parseEther("25");
ā
// User1 borrows 25e18 tokens (Any amount works!)
await lendingPool.connect(user1).borrow(borrowAmount);
ā
let debtAmount = await debtToken.balanceOf(user1.address);
let scaledUsage = await lendingPool.getUserDebt(user1.address);
let delta = debtAmount - scaledUsage;
console.log("User1 debt, scaledUsage, delta on first borrow");
console.table({ debtAmount, scaledUsage, delta });
ā
// Some time passes, so usageIndex increases
await ethers.provider.send("evm_increaseTime", [1 * 24 * 60 * 60]);
await ethers.provider.send("evm_mine");
ā
// User1 borrows 25e18 tokens again
await lendingPool.connect(user1).borrow(borrowAmount);
debtAmount = await debtToken.balanceOf(user1.address);
scaledUsage = await lendingPool.getUserDebt(user1.address);
delta = debtAmount - scaledUsage;
console.log("User1 debt, scaledUsage, delta on second borrow");
console.table({ debtAmount, scaledUsage, delta });
ā
// User tries to repay all of his debt at once but fails.
await expect(
lendingPool.connect(user1).repay(debtAmount)
).to.be.revertedWithPanic(0x11);
console.log("Repaying all debt at once failed as expected");
ā
await lendingPool.connect(user1).repay(debtAmount - delta);
ā
debtAmount = await debtToken.balanceOf(user1.address);
scaledUsage = await lendingPool.getUserDebt(user1.address);
delta = debtAmount - scaledUsage;
console.log("User1 debt, scaledUsage, delta after repaying all but delta");
console.table({ debtAmount, scaledUsage, delta });
ā
expect(delta).to.be.gt(0);
expect(delta).to.be.gt(scaledUsage);
});
Logs:
User1 debt, scaledUsage, delta on first borrow
āāāāāāāāāāāāāāā¬āāāāāāāāāāāāāāāāāāāāāāāā
ā (index) ā Values ā
āāāāāāāāāāāāāāā¼āāāāāāāāāāāāāāāāāāāāāāāā¤
ā debtAmount ā 25000000000000000000n ā
ā scaledUsage ā 25000000000000000000n ā
ā delta ā 0n ā
āāāāāāāāāāāāāāā“āāāāāāāāāāāāāāāāāāāāāāāā
User1 debt, scaledUsage, delta on second borrow
āāāāāāāāāāāāāāā¬āāāāāāāāāāāāāāāāāāāāāāāā
ā (index) ā Values ā
āāāāāāāāāāāāāāā¼āāāāāāāāāāāāāāāāāāāāāāāā¤
ā debtAmount ā 50003585486944660850n ā
ā scaledUsage ā 50001792679196224555n ā
ā delta ā 1792807748436295n ā
āāāāāāāāāāāāāāā“āāāāāāāāāāāāāāāāāāāāāāāā
Repaying all debt at once failed as expected
User1 debt, scaledUsage, delta after repaying all but delta
āāāāāāāāāāāāāāā¬āāāāāāāāāāāāāāāāāāāā
ā (index) ā Values ā
āāāāāāāāāāāāāāā¼āāāāāāāāāāāāāāāāāāāā¤
ā debtAmount ā 1792807748436295n ā
ā scaledUsage ā 0n ā
ā delta ā 1792807748436295n ā
āāāāāāāāāāāāāāā“āāāāāāāāāāāāāāāāāāāā
ā should showcase inconsistency (1163ms)
Tools Used
Manual review
Recommendations
Update the following line in LendingPool.sol#borrow()
- user.scaledDebtBalance += scaledAmount;
+ user.scaledDebtBalance += amountMinted;
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
LendingPool::borrow tracks debt as user.scaledDebtBalance += scaledAmount while DebtToken mints amount+interest, leading to accounting mismatch and preventing full debt repayment
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.