Stability Pool Liquidation Scaling Issue
Summary
A vulnerability was identified in the liquidateBorrower function of the StabilityPool contract. The issue arises from an incorrect scaling operation applied to the user's debt, leading to an overestimation of the required liquidation amount.
Vulnerability Details
In the liquidateBorrower function, the user's debt is retrieved from the LendingPool contract using lendingPool.getUserDebt(userAddress). This value already accounts for interest and represents the present debt amount. However, the retrieved debt is then further scaled using WadRayMath.rayMul(userDebt, lendingPool.getNormalizedDebt()), which incorrectly inflates the debt amount. The correct operation should be rayDiv rather than rayMul, as the debt value should not be compounded again.
Impact
The liquidation process overestimates the required debt repayment.
Tools Used
Manual review
Recommendations
The liquidation process overestimates the required debt repayment:
Lead Judging Commences
StabilityPool::liquidateBorrower double-scales debt by multiplying already-scaled userDebt with usage index again, causing liquidations to fail
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.