Summary

The liquidateBorrower function contains a critical issue where the user's debt is incorrectly multiplied twice by the rayMul operation. This results in an inflated debt amount, which lead to incorrect liquidation logic and potential DOS.

Root cause

1. First Multiplication:

   • In the getUserDebt function, the user's scaledDebtBalance is multiplied by the reserve.usageIndex using rayMul:

   https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/pools/LendingPool/LendingPool.sol#L579

   return user.scaledDebtBalance.rayMul(reserve.usageIndex);

   • This correctly calculates the user's debt by scaling the scaledDebtBalance with the usageIndex.

2. Second Multiplication:

   • In the liquidateBorrower function, the userDebt (already scaled by usageIndex) is multiplied again by the normalizedDebt using rayMul:

   https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/pools/StabilityPool/StabilityPool.sol#L453

   uint256 scaledUserDebt = WadRayMath.rayMul(userDebt, lendingPool.getNormalizedDebt());

   • This results in the user's debt being multiplied twice, leading to an incorrect and inflated debt amount.

Impact

• Incorrect Debt Calculation: The user's debt is inflated due to double multiplication.

• DOS: If the inflated userDebt is more than balnce of StabilityPool contact, liquidation will always revert

• Incorrect amount will be approve to lendingPool

• Incorrect event emission

Fix

Remove the second multiplication in the liquidateBorrower function. The userDebt returned by getUserDebt is already scaled and should not be multiplied again.