Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Naming Errors in FinalizeLiquidation function

aycozynfada

Summary

The finalizeliquidation function in the provided Solidity code records incorrect state values because of errors in the naming of the returned values. Specifically, the amountScaled and amountBurned variables have been misnamed, This can lead to certain errors in future

Vulnerability Details

The returned values amountScaled and amountBurned are incorrectly named. amountScaled should be amountBurned and amountBurned should be amountScaled.

// Burn DebtTokens from the user

(

uint256 amountScaled,//should be named amountBurned

uint256 newTotalSupply,

uint256 amountBurned,// should be named amountScaled

uint256 balanceIncrease

) = IDebtToken(reserve.reserveDebtTokenAddress).burn(

userAddress,

userDebt,

reserve.usageIndex

);

// Transfer reserve assets from Stability Pool to cover the debt

IERC20(reserve.reserveAssetAddress).safeTransferFrom(

msg.sender,

reserve.reserveRTokenAddress,

amountScaled

);

// Update user's scaled debt balance

user.scaledDebtBalance -= amountBurned;//this can lead to errors in future

reserve.totalUsage = newTotalSupply;

// Update liquidity and interest rates

ReserveLibrary.updateInterestRatesAndLiquidity(

reserve,

rateData,

amountScaled,

);

below is the DebtToken.burn function with the returned variables;

in the returned variables the amounscaled is the third parameter while amout burned the first parameter, which was interchanged in the finalizeLiquidation function

ed == 0) revert InvalidAmount();

_burn(from, amount.toUint128());//safecast

emit Burn(from, amountScaled, index);

return (amount, totalSupply(), amountScaled, balanceIncrease);

}

Impact

impact is low

Tools Used

manual review

Recommendations

To mitigate this issue, correct the naming of the returned values in the finalizeliquidation function

(

uint256 amountBurned, // renamed from amountScaled

uint256 newTotalSupply,

uint256 amountScaled, // renamed from amountBurned

uint256 balanceIncrease

) = IDebtToken(reserve.reserveDebtTokenAddress).burn(

userAddress,

userDebt,

reserve.usageIndex

);

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

LendingPool functions incorrectly assign DebtToken::burn return values, swapping amountScaled and amountBurned, causing wrong token transfers and debt accounting

This is confusing naming but functionally correct. The variable names are misleading, but that's not a vulnerability.

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

LendingPool functions incorrectly assign DebtToken::burn return values, swapping amountScaled and amountBurned, causing wrong token transfers and debt accounting

This is confusing naming but functionally correct. The variable names are misleading, but that's not a vulnerability.

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!