Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Incorrect Repayment Calculation Leading to Protocol Loss

xcrypt

Summary

The repay function currently miscalculates the total debt when users attempt to repay more than their outstanding balance. If a user tries to repay their full debt, the function incorrectly scales the repayment amount, leading to an underpayment. This results in debt tokens being burned without fully covering the outstanding amount, causing a financial loss to the protocol.

Vulnerability Details

Issue

  • The function caps the repayment amount at the user’s debt balance but fails to properly account for usageIndex when calculating the actual debt.

  • The burn function scales the repayment down to the user's debt token balance, but the actual total debt is the balance multiplied by usageIndex.

  • As a result, the contract transfers an incorrect repayment amount, leading to an underpayment while still burning the full debt tokens.

Example Scenario

  • A user has a debt balance of 1,000 tokens, with a usageIndex of 2. Their actual debt is 2,000 tokens.

  • If they attempt to repay 2,000 tokens, the function scales it down to 1,000 tokens due to incorrect calculations.

  • The contract then transfers only 1,000 tokens to the protocol instead of 2,000, leading to a loss of 1,000 tokens.

  • Despite this, all debt tokens are burned, creating an imbalance where the protocol assumes the user has fully repaid when they haven’t.

Affected Code

(uint256 amountScaled, uint256 newTotalSupply, uint256 amountBurned, uint256 balanceIncrease) =
IDebtToken(reserve.reserveDebtTokenAddress).burn(onBehalfOf, amount, reserve.usageIndex);
IERC20(reserve.reserveAssetAddress).safeTransferFrom(msg.sender, reserve.reserveRTokenAddress, amountScaled); // Incorrect transfer amount

Impact

Financial Loss to the Protocol

  • The system incorrectly assumes a user’s loan is fully repaid while receiving only a fraction of the required repayment.

  • This leads to a discrepancy between the total debt and repaid amounts, resulting in protocol losses over time.

Inconsistent Debt Accounting

  • Users can burn all their debt tokens without covering their actual debt, making it appear as though they have repaid their loan when they have not.

  • This could cause liquidity issues and potential insolvency risks for the protocol.

Tools Used

  • Manual review of the repay function and debt token burning mechanism.

Recommendations

Ensure Accurate Debt Repayment

  • If a user is repaying their full debt, the actual repayment amount should be based on their total debt, not just their scaled balance.

  • Use either of the following fixes to ensure accurate debt repayment:

Example Fix

uint256 userDebt = IDebtToken(reserve.reserveDebtTokenAddress).balanceOf(onBehalfOf) * reserve.usageIndex;
IERC20(reserve.reserveAssetAddress).safeTransferFrom(msg.sender, reserve.reserveRTokenAddress, userDebt);

  • This ensures that the total outstanding debt is properly accounted for, preventing protocol losses.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!