Core Contracts

Summary

Compounding interest on debt won't be applied to the last borrow someone takes, simple interest will.

Vulnerability Details

As per protocol docs, borrowing is meant to have compound debt interests and lending simple ones. From LendingPool docs in the protocol:

The compounding interest effect is achieved here on DebtToken::mint() when instead of minting just the new debt amounts you add the accrued interest reflected on the balanceIncrease. This effectively makes the interest be accounted as new debt, creating a compound interest effect.

But this is only done on the mint() function, which is only called through the LendingPool::borrow() flow. Any other flow won't account the accrued interests as debt, leaving in practice a simple interest on borrows.

Proof Of Concept

As the compound effect is only found on this execution flow: LendingPool::borrow() -> DebtToken::mint(). Any other action will not account for interest.

If a user does: borrow() -> repay(). As repay does not account for balanceIncrease it will only account for the simple interest on that debt. See here that _repay() only calls DebtToken::burn() and see here that the burn does not mint or accounts for the accrued interest accruing debt. It only uses balanceIncrease for event emitting purposes.

Note that if a user borrows twice after some time passes, the first borrow will have compound applied, as the mint function will be executed twice. But the second borrow will only have simple interest.

⚠️ Note 🚧 I can't provide an executable POC because the code is very flawed. The minting and burning of ScaledBalanceTokens like RToken or DebtToken is flawed on its core, thus proving what I mean would require me to significantly re-write the contracts. There are other issues like scaled amounts minted being incorrect but once that is fixed, the compound effect on debt issue I describe here will still be present.

Visual explanation to make it clearer:

1. User borrows 100 USDC at debt index 1.

2. Time passes and the debt index is now 1.1, he borrows again 100 USDC. Mint will calculate the balance increase from the growing index and mint it all, new borrowed amount and accrued interest, as new debt, creating compunding effect.

3. Time passes, index is now 1.5 and user repays all. The second borrowed amount will have accrued interest, but this ones, as mint will never be called, won't be minted as debt, leaving the last borrow as a simple interest. See again the repay flow linked above and how balanceIncrease is only used for event emitting purposes on DebtToken::burn(). Furthermore, the interest accrued by the first 100USDC from the second borrow until the repayment won't also be accounted as new debt, leaving that part also as simple interest.

Impact

The last borrow a user repays won't be applied compounding interest on the debt. And any other borrow before that will only have compound interest for some time, this time being since it was created unitl the last borrow.

Recommendations

Mint the corresponding debt on repayment in a similar way done at borrowing, to account for the interests' of the interests that generate the desired compounding debt.