Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Double Scaling Issue in `liquidateBorrower` Function Leading to Debt Overestimation

xcrypt

Summary

The liquidateBorrower function in the StabilityPool contract incorrectly applies a scaling factor to a user’s debt twice. When retrieving the debt from the LendingPool using the getUserDebt function, the returned value is already scaled using the usageIndex. However, liquidateBorrower mistakenly applies rayMul again to this value, effectively doubling the scaling. This results in an overestimation of the user's debt, leading to incorrect approval amounts for liquidation and potential inefficiencies in the system.

Vulnerability Details

Issue:
- The getUserDebt function returns a debt value that is already scaled based on the usageIndex in the LendingPool.
- Despite this, the liquidateBorrower function applies an additional rayMul operation, unnecessarily scaling the value a second time.
- This leads to an inflated debt amount, which affects the liquidation process.
Incorrect Code:

uint256 userDebt = lendingPool.getUserDebt(userAddress); // Already scaled
uint256 scaledUserDebt = WadRayMath.rayMul(userDebt, lendingPool.getNormalizedDebt()); // Scaled again, causing error
Root Cause:
- The contract does not account for the fact that getUserDebt already returns a scaled value.
- Applying rayMul again causes an overestimation of the debt amount, leading to incorrect fund approvals.
Expected Behavior:
- The debt should not be scaled twice. Instead, if needed, the existing scaling should be reversed using rayDiv to obtain the actual debt amount.

Impact

Debt Overestimation:
Applying the scaling factor twice results in an inflated debt amount, leading to incorrect calculations and potential financial discrepancies.
Incorrect Liquidation:
The liquidation function may approve more tokens than necessary, leading to either overpayment of debt or excess fund allocation from the StabilityPool.
Inefficient Fund Utilization:
The StabilityPool could approve and transfer more tokens than required, reducing the efficiency of the pool’s fund management and potentially leading to unnecessary losses.

Tools Used

Manual code review

Recommendations

Remove the Double Scaling Issue:
Instead of applying rayMul to userDebt again, use rayDiv to correctly adjust the debt amount if necessary.

Fixed Code:

uint256 userDebt = lendingPool.getUserDebt(userAddress); // Already scaled
uint256 correctedDebt = userDebt.rayDiv(lendingPool.getNormalizedDebt()); // Reverse extra scaling if needed
Ensure Correct Approval for Liquidation:
The approval for liquidation should match the correct debt amount without unnecessary scaling, ensuring accurate liquidation transactions.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

StabilityPool::liquidateBorrower double-scales debt by multiplying already-scaled userDebt with usage index again, causing liquidations to fail

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.