Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Double Debt Scaling in StabilityPool in liquidateBorrower Leads to Excessive Collateral Seizure

allamloqman

Summary :

The StabilityPool contract contains a critical vulnerability where user debt is incorrectly scaled multiple times during liquidations, resulting in inflated debt calculations and excessive collateral seizure.

Vulnerability Details :

The vulnerability exists in StabilityPool.sol:

function liquidateBorrower(address userAddress) external {
// First scaling through getUserDebt
uint256 userDebt = lendingPool.getUserDebt(userAddress);
// Incorrect second scaling
uint256 scaledUserDebt = WadRayMath.rayMul(userDebt, lendingPool.getNormalizedDebt());
}

The debt is scaled twice because:

  1. LendingPool.getUserDebt() already returns scaled debt:

function getUserDebt(address userAddress) public view returns (uint256) {
return user.scaledDebtBalance.rayMul(reserve.usageIndex);
}

Then : incorrectly scales this already-scaled value again using :

uint256 scaledUserDebt = WadRayMath.rayMul(userDebt, lendingPool.getNormalizedDebt());
}

Impact :

  1. Borrowers lose more collateral than they should during liquidations while the Liquidators receive excess collateral based on inflated debt calculations.

Tools Used :

Manuel review.

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

StabilityPool::liquidateBorrower double-scales debt by multiplying already-scaled userDebt with usage index again, causing liquidations to fail

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.