Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

`LendingPool::_repay` transfer the wrong amount from user due wrong returned value from intermediary function, causing a revert or transfering more than it should from user

77SecMentees

Summary

LendingPool::repay calls _repay internally. This function will burn the debtTokensminted when the user opens a borrow position. The function receives the amount, and behalfOf parameters. After some checks the DebtToken::burn is called forwarding the amount.

Vulnerability Details

The DebtToken::burnreturns four values:

amountBurned
newTotalSupply
amountScaled
balanceIncrease

While the LendingPool::_repay expect to receive the following order:

amountScaled
newTotalSupply
amountBurned
balanceIncrease

// Transfer reserve assets from the caller (msg.sender) to the reserve

IERC20(reserve.reserveAssetAddress).safeTransferFrom(msg.sender, reserve.reserveRTokenAddress, amountScaled);

Impact

After receiving the wrong amount, the LendingPool::_repaywill try to transfer a bigger amount from the user. If he has given enough approval, it will succeed, if not the function will always revert.

Transferring more, the user will pay more than he should.
Reverting, the user will be blocked from repaying the borrowed amount.

Tools Used

Code Review

Recommendations

Adjust the returned value, so the transfers occur over the correct amount.

- return (amount, totalSupply(), amountScaled, balanceIncrease);

+ return (amountScaled, totalSupply(), amount, balanceIncrease);

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

DebtToken::burn calculates balanceIncrease (interest) but never applies it, allowing borrowers to repay loans without paying accrued interest

Interest IS applied through the balanceOf() mechanism. The separate balanceIncrease calculation is redundant/wrong. Users pay full debt including interest via userBalance capping.

DebtToken::burn returns items in the wrong order

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

DebtToken::burn calculates balanceIncrease (interest) but never applies it, allowing borrowers to repay loans without paying accrued interest

Interest IS applied through the balanceOf() mechanism. The separate balanceIncrease calculation is redundant/wrong. Users pay full debt including interest via userBalance capping.

DebtToken::burn returns items in the wrong order

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!