User debt is over estimated at `StabilityPool::liquidateBorrower()`
Vulnerability Details
When liquidating a user trhough StabilityPool::liquidateBorrower(), if the StabilityPool does not have enough crvUSD to pay for the user's debt on liquidation the tx reverts.
The issue is that the user's debt is over-calculated and this can lead to the unability of the liquidation to take place.
The problem arises because rayMul() is used twice on the debt of the user, see the function here.
The first mulitplication happens at LendingPool::getUserDebt(), see here. So the debt is already accounted for completely, yet it is applied the interest index again back in the StabilityPool here. Note the call to getUserDebt() is in the line above.
This effectively applies the interest twice, and in cases where this overflows the amount of crvUSD in the pool, txs will revert making the system unable to liquidate the user.
Numbers example
StabilityPool balance 100
User debt 90, index 1.1. Total debt: 90*1.1 = 99
Pool has enough balance. But because multiplied twice: 99 * 1.1 = 108.9 > 100. Tx reverts.
Impact
Risk of some liquidation not being carried out when they should and the system becomes unhelathy.
Recommendations
Do not multiply twice by the index.
Lead Judging Commences
StabilityPool::liquidateBorrower double-scales debt by multiplying already-scaled userDebt with usage index again, causing liquidations to fail
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.