Messed up positions of params in DebtToken contract in burn() function
Summary
The position of the returned first and third variables in burn() function are swapped in DebtToken contract.
Vulnerability Details
The function is expected to return
@return A tuple containing:
- uint256: The amount of scaled tokens burned
- uint256: The new total supply after burning
- uint256: The amount of underlying tokens burned
- uint256: The balance increase due to interest
For first param return amount in underlying tokens, for third param returns amount of scaled tokens
Impact
Problem will cause unexpected values. In LendingPool contract:
In LendingPool contract in _repay and finalizeLiquidation functions amountScaled is expected to be in scaled units and amountBurned in non-scaled units. It's receive the wrong values returned by DebtToken contract burn function assigned to variables will cause unexpected problems.
Recommendations
To fix it change the return to:
Lead Judging Commences
DebtToken::burn calculates balanceIncrease (interest) but never applies it, allowing borrowers to repay loans without paying accrued interest
Interest IS applied through the balanceOf() mechanism. The separate balanceIncrease calculation is redundant/wrong. Users pay full debt including interest via userBalance capping.
DebtToken::burn calculates balanceIncrease (interest) but never applies it, allowing borrowers to repay loans without paying accrued interest
Interest IS applied through the balanceOf() mechanism. The separate balanceIncrease calculation is redundant/wrong. Users pay full debt including interest via userBalance capping.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.