Core Contracts

Summary

** when the function liquidateBorrower is called, if crvUSDBalance(i.e balance in the stability pool) is less than scaledUserDebt, then the function will revert. Here scaledUserDebt is bigger than the borrower's real debt. Borrower real debt is userDebt i.e lendingPool.getUserDebt(userAddress). In the userDebt calculation, borrower’s debt token is already multiplied with liquidityindex. Afterthat, in scaledUserDebt calculation, userDebt is multiplied with liquidityindex. So scaledUserDebt returns bigger/inflated debts of the borrower than actual debt. As scaledUserDebt is validated with crvUSDBalance, so there may come a scenario when a user real debt is equal to total crvUSDBalance balance of StabilityPool, but still liquidation is not possible because scaledUserDebt is validated with crvUSDBalance.**

Vulnerability Details

1. Let’s assume, Alice's total debt tokens i.e user.scaledDebtBalance is 100, currently reserve.usageIndex or lendingPool.getNormalizedDebt() = 1.2e27. Now Alice's debt position’s isUnderLiquidation[userAddress] = true; so Alice's debt position is liquidable.

2. currently crvUSDBalance = 120 in the StabilityPool contract.

3. now the function liquidateBorrower( StabilityPool) is called for alice debt position address where userDebt = 120(100*1.2), scaledUserDebt = 120*1.2 = 144.

**4. as crvUSDBalance

Impact

there may come a scenario when a user's real debt is equal to total crvUSDBalance balance of StabilityPool, but still liquidation is not possible because scaledUserDebt is validated with crvUSDBalance.

Tools Used

manual review

Recommendations

validate crvUSDBalance with userDebt.