Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Incorrect Computation of `userDebt`, `actualRepayAmount` in `_repay()` in `LendingPool`

sunless_

Description

Function _repay() in lendingPool incorrectly computes userDebt which further leads to an invalid value being assigned to actualRepayAmount i.e. SOURCE

// Calculate the user's debt (for the onBehalfOf address)
uint256 userDebt = IDebtToken(reserve.reserveDebtTokenAddress).balanceOf(onBehalfOf);
uint256 userScaledDebt = userDebt.rayDiv(reserve.usageIndex);
// If amount is greater than userDebt, cap it at userDebt
uint256 actualRepayAmount = amount > userScaledDebt ? userScaledDebt : amount;

Notice that we fetch the userDebt by directly querying balanceOf on debtToken.


However, we wrongly assume that the value that is returned is NOT scaled, when infact, this value has already been SCALED as these are directly MINTED using scaled amount when the user made a borrow.

Comparing such a value(which is scaled twice) against amount variable is completely wrong, and would always lead to assigning userScaledDebt to actualRepayAmount

Next, we assign this value to scaledAmount variable, again, we perform scaling, which should not be the intended behaviour.

Tools Used

Manual

Recommendations

Consider using userDebt directly when assigning actualRepayAmount

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

DebtToken::mint miscalculates debt by applying interest twice, inflating borrow amounts and risking premature liquidations

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.