Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

OverScaling of userdebt in `stabilityPool::liquidateBorrower` leads to debt estimation

maa_ly

Summary

when liquidateBorrower function is called it gets the debt of the user, and then gets the normalization, and then applies an additional normalization step using rayMul. However the issue here is that the LendingPool::getUserDebt function is already returning the scaled debt amount by applying rayMul with the usageIndex, this causes a situation where the userdebt is overscaled.

Vulnerability Details

heres the affected code

//lendingPool.sol
function getUserDebt(address userAddress) public view returns (uint256) {
UserData storage user = userData[userAddress];
==> return user.scaledDebtBalance.rayMul(reserve.usageIndex); // gets the userdebt and scales it
}
function getNormalizedDebt() external view returns (uint256) {
==> return reserve.usageIndex; // gets the usageindex also
}
//StabilityPool
function liquidateBorrower(address userAddress) external onlyManagerOrOwner nonReentrant whenNotPaused {
_update();
// Get the user's debt from the LendingPool.
uint256 userDebt = lendingPool.getUserDebt(userAddress);
==> uint256 scaledUserDebt = WadRayMath.rayMul(userDebt, lendingPool.getNormalizedDebt()); // double debt scaling

Impact

Overestimation of Debt: Since getUserDebt already applies rayMul to scale the debt, performing another rayMul in liquidateBorrower results in an overly inflated debt value.

Tools Used

manual review

Recommendations

Remove the extra scaling in liquidateBorrower

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

StabilityPool::liquidateBorrower double-scales debt by multiplying already-scaled userDebt with usage index again, causing liquidations to fail

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!