Overestimation of Borrower Debt Leading to Excess Liquidation Costs in liquidateBorrower() function
Summary
A critical bug in the liquidateBorrower() function of the StabilityPool.sol contract causes borrower debt to be overestimated due to double application of the usageIndex scaling factor. This leads to incorrectly high liquidation amounts, resulting in Stability Pool depositors overpaying for liquidations and potential premature draining of Stability Pool funds
Vulnerability Details
Within liquidateBorrower(), the user's debt is first retrieved correctly using
However, getUserDebt() in LendingPool.sol already applies the interest rate multiplier (usageIndex), as seen in:
Yet, the function incorrectly scales the debt again by calling:
Since lendingPool.getNormalizedDebt() is also equivalent to**usageIndex**, this results in:
This incorrectly applies usageIndex twice, making liquidation amounts artificially high.
Impact
Since scaledUserDebt is larger than the real debt, the Stability Pool pays more than required to cover liquidations. Depositors lose more RTokens (rCRVUSD) than necessary, leading to faster depletion of the Stability Pool
Tools Used
Manual review
Recommendations
Remove Redundant Scaling in liquidateBorrower()
Lead Judging Commences
StabilityPool::liquidateBorrower double-scales debt by multiplying already-scaled userDebt with usage index again, causing liquidations to fail
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.