Core Contracts

Relevant GitHub Links

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/pools/LendingPool/LendingPool.sol#L425

Summary

The LendingPool contract incorrectly subtracts an unscaled amount (amountBurned) from a scaled balance (scaledDebtBalance), causing incorrect debt accounting. This mismatch in units leads to users having incorrectly recorded debt balances.

Vulnerability Details

In the LendingPool contract, when updating user's debt balance after a repayment, the code incorrectly subtracts an unscaled amount from a scaled balance:

The issue arises because:

• scaledDebtBalance tracks debt without interest (scaled)

• amountBurned includes interest (unscaled)

• Subtracting an unscaled amount from a scaled balance mixes incompatible units

Example scenario:

• User has 100 tokens original debt

• Interest rate is 10% (index = 1.1)

• Raw debt = 110 tokens

• Scaled debt = 100 tokens

• User repays 55 tokens (raw)

• Current code: Subtracts 55 from scaled balance of 100, resulting in 45

• Correct accounting: Should subtract scaled amount (55/1.1 = 50) from 100, resulting in 50

Impact

This accounting error leads to incorrect debt tracking which can result in:

1. Users being able to borrow more than their limits allow (if debt is underreported)

2. Users being unable to withdraw their collateral when they should be able to (if debt is overreported)

The severity is high because:

• It directly affects core protocol accounting

• Can lead to loss of funds through excess borrowing or locked collateral

• Error compounds with each repayment

Tools Used

Manual review

Recommendations

Update the debt balance calculation to use the scaled amount:

This ensures both values are in scaled terms before subtraction, maintaining correct debt accounting.