Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Accrued Interest Ignored During Debt Repayment

ro1sharkm

Summary

The burn function in the DebtToken contract fails to account for accrued interest balanceIncrease
when repaying debt. Specifically:

  • It retrieves userBalance = balanceOf(from) which does not include newly accrued interest.

  • It caps the repayment amount based on an outdated balance leading to incorrect debt repayment and accounting.

  • It updates the user's index to the latest value effectively discarding the balanceIncrease in subsequent calculations.

Vulnerability Details

DebtTokens accrue interest over time using a borrow index (usageIndex in borrow, borrowIndex in repay).
When users borrow, interest is added by minting new DebtTokens corresponding to accrued interest balanceIncrease.

uint256 amountToMint = amount + balanceIncrease;

However, when users repay, the _repay function calls debtToken.burn.The function calculates balanceIncrease based on the borrow index but does not mint equivalent DebtTokens before checking the user's debt balance userBalance

uint256 userBalance = balanceOf(from);//balance does not reflect balanceIncrease
uint256 balanceIncrease = 0;
if (_userState[from].index != 0 && _userState[from].index < index) {
uint256 borrowIndex = ILendingPool(_reservePool).getNormalizedDebt();
balanceIncrease = userBalance.rayMul(borrowIndex) - userBalance.rayMul(_userState[from].index);
amount = amount;
}
_userState[from].index = index.toUint128(); //Index updated
if(amount > userBalance){ //caps repayment amount to outdated Bal
amount = userBalance;
}

This outdated balance is then used to cap the repayment amount ignoring the balanceIncrease

The mint function correctly accounts for balanceIncrease by minting additional DebtTokens, but the burn function does not follow the same logic.

Impact

Users repay less than they actually owe (principal + interest) as the repayment amount is capped based on outdated balance.

Tools Used

Manual code review

Recommendations

Modify the burn() function to mint additional debt tokens for accrued interest before processing the repayment

// Mint accrued interest before querying balance
if (balanceIncrease > 0) {
_mint(from, balanceIncrease.toUint128());
userBalance += balanceIncrease; // Update balance before checking it
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

DebtToken::burn calculates balanceIncrease (interest) but never applies it, allowing borrowers to repay loans without paying accrued interest

Interest IS applied through the balanceOf() mechanism. The separate balanceIncrease calculation is redundant/wrong. Users pay full debt including interest via userBalance capping.

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

DebtToken::burn calculates balanceIncrease (interest) but never applies it, allowing borrowers to repay loans without paying accrued interest

Interest IS applied through the balanceOf() mechanism. The separate balanceIncrease calculation is redundant/wrong. Users pay full debt including interest via userBalance capping.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.