Double Scaling of Debt Amount Causes Liquidation DOS
Summary
In the StabilityPool.liquidateBorrower() function, the borrower's debt amount is incorrectly scaled twice by the usage index, causing the required crvUSD amount to be significantly inflated. This can make liquidateBorrower() revert with InsufficientBalance if the stability pool does not have enough balance to cover the inflated debt amount.
Vulnerability Details
The root cause of the issue is the double scaling of the user debt amount:
-
First scaling in
LendingPool.getUserDebt():contracts/core/pools/LendingPool/LendingPool.sol#L579
function getUserDebt(address userAddress) public view returns (uint256) {UserData storage user = userData[userAddress];return user.scaledDebtBalance.rayMul(reserve.usageIndex);} -
Second incorrect scaling in
StabilityPool.liquidateBorrower():contracts/core/pools/StabilityPool/StabilityPool.sol#L453
uint256 userDebt = lendingPool.getUserDebt(userAddress);uint256 scaledUserDebt = WadRayMath.rayMul(userDebt, lendingPool.getNormalizedDebt());
As a result, the required amount becomes significantly larger than the actual debt, which may unexpectedly exceed the crvUSDBalance in StabilityPool, causing the liquidation reverts.
Impact
The impact is high since:
The required balance for liquidation is inflated, make it much harder to liquidate large bad debt.
It puts the protocol's solvency at risk.
Tools Used
Manual review
Recommendations
Remove the second scaling in StabilityPool.liquidateBorrower(). The debt amount should only be scaled once:
Lead Judging Commences
StabilityPool::liquidateBorrower double-scales debt by multiplying already-scaled userDebt with usage index again, causing liquidations to fail
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.