Core Contracts

Summary

The _repay function contains a critical inconsistency in its parameter usage when processing loan repayments. The function incorrectly uses the raw amount parameter instead of the validated actualRepayAmount when executing burns and asset transfers, potentially leading to accounting errors in the protocol.

Vulnerability Details

• The function calculates actualRepayAmount as a capped value based on the user's outstanding debt

• However, subsequent operations incorrectly reference the uncapped amount parameter when calling burn()

• While the function is intended to handle small overpayments ("dust"), the current implementation lacks proper validation and handling of such cases

Impact

• Accounting Mismatches: Users repaying loans may have incorrect amounts burned or transferred, creating discrepancies in the protocol's accounting

• Excess Transfer Risk: When amount exceeds actualRepayAmount, the protocol may transfer more funds than necessary without proper accounting

Tools Used

• Manual code review

Recommendations

• Modify the burn() call to use actualRepayAmount instead of amount

• Implement validation logic to properly handle and account for any overpayment scenarios

• Consider adding a refund mechanism for excess payments beyond small dust amounts