Incorrect implementation of getUserDebt() method in LendingPool.sol
Summary
incorrect implementation of LendingPool::getUserDebt() may lead to lesser debt amount than than are supposed to be.
Vulnerability Details
User debt is recorded in state variable UserData[userAddress].scaledDebtBalance, where this amount is the debtToken minted, not the real debt value. The real debt value is calculated from multiplying reserve debt index. However the code implemented in LendingPool::getUserDebt() does this by multiplying last time updated usageIndex, while it should be the in time index:
instead it should be :
while in most occasions, there will be a reserve index updating before any token actions(deposti/withdraw/repay), which will result in no differences of NormalizedDebt() and reserve.usageIndex.
Hovever In StabilityPool::liquidateBorrower(), userDebt is straightly calculated from lendingPool.getUserDebt(), which will results in less debt that users accumulated.
Impact
users get less debt than real time accumulated
Tools Used
manual
Recommendations
consider change getUserDebt() to :
Lead Judging Commences
LendingPool::getNormalizedIncome() and getNormalizedDebt() returns stale data without updating state first, causing RToken calculations to use outdated values
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.