Core Contracts

Summary

In the LendingPool.sol contract the calculateHealthFactor function does not ensure that the health factor is calculated in RAY decimals (27 decimal places), leading to inconsistencies that depend on the decimals of the collateral value.

Vulnerability Details

The vulnerability arises from the calculateHealthFactor function, which calculates the user's health factor based on their collateral value and debt. The function does not ensure that the health factor is calculated in RAY decimals (27 decimal places). Instead, it directly uses the collateral value and debt, which may have different decimal places. This can lead to inconsistencies in the health factor calculation, as the result will depend on the decimals of the collateral value.

Example Scenario

Consider the following scenario:

1. A user has a collateral value of 1,000,000 with 18 decimals (1,000,000 * 10^18).

2. The user's debt is 500,000 with 18 decimals (500,000 * 10^18).

3. The liquidation threshold is 80%.

Current Implementation:

If the collateral value has different decimals (e.g., 6 decimals), the health factor calculation will be inconsistent.

Impact

By not ensuring that the health factor is calculated in RAY decimals, the protocol will produce inconsistent health factor values. This can lead to incorrect assessments of user collateralization, potentially allowing users to borrow more than they should or triggering unnecessary liquidations. It undermines the protocol's ability to maintain a healthy and balanced financial state, potentially leading to significant financial losses.

Tools Used

Manual Review

Recommendations

To mitigate this vulnerability, update the calculateHealthFactor function to ensure that the health factor is calculated in RAY decimals making the value normalized.