Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

The `DebtToken.burn` function contains incorrect calculations for balanceIncrease

ace_30

Summary

The DebtToken.burn function contains incorrect calculations. The balanceIncrease should not be added, as it is already accounted for in balanceOf(). Since balanceOf() returns the current debt of the user, the burn function only needs to reduce the tokens based on the actual debt amount, avoiding unnecessary inflation of total debt.

Vulnerability Details

Consider the following scenario:

  1. A user initially borrows 100 tokens when the index is 2. This results in the user holding:

    • super.balanceOf(user) = 50

    • userIndex = 2

  2. After some time, the index increases to 4, doubling the user’s debt to 200.

  3. The user repays 1 wei (near zero amount for test and PoC**)**, triggering the burn function.

  4. The expected behavior is for the debt remain same (since 1 wei is near zero), but due to the incorrect calculation, an excessive amount of tokens is burned.

Problematic Code in burn:

function burn(
address user,
uint256 amount,
uint256 index
) external override onlyReservePool returns (bool, uint256, uint256) {
uint256 scaledBalance = balanceOf(user);
uint256 balanceIncrease = 0;
if (_userState[user].index != 0 && _userState[user].index < index) {
balanceIncrease = scaledBalance.rayMul(index) - scaledBalance.rayMul(_userState[user].index);
}
_userState[user].index = index.toUint128();
uint256 amountToBurn = amount + balanceIncrease;
_burn(user, amountToBurn.toUint128());
}

Breakdown of Incorrect Calculations:

  • scaledBalance = balanceOf(user) = super.balanceOf(user) * index = 50 * 4 = 200

  • balanceIncrease = scaledBalance * (index - userIndex) = 200 * (4 - 2) = 400

  • amountToBurn = amount + balanceIncrease = 1 + 400 = 401

  • _burn(user, 401)

    • The user’s balance decreases by 401/4 = 100.25, leading to an incorrect reduction in debt.

Impact:

This results in excessive burning of tokens, causing an unintended decrease in the user's debt and leading to incorrect accounting in the system. Users can exploit this to unfairly reduce their obligations.

Users may mint or burn more tokens than intended, allowing them to manipulate their debt and either reduce their obligations unfairly or face unintended losses.

Tools Used

VS Code

Recommendations

Remove balanceIncrease from the DebtToken.burn function to ensure only the actual debt amount is burned, preventing unintended inflation or deflation of total debt.

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

DebtToken::burn calculates balanceIncrease (interest) but never applies it, allowing borrowers to repay loans without paying accrued interest

Interest IS applied through the balanceOf() mechanism. The separate balanceIncrease calculation is redundant/wrong. Users pay full debt including interest via userBalance capping.

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

DebtToken::burn calculates balanceIncrease (interest) but never applies it, allowing borrowers to repay loans without paying accrued interest

Interest IS applied through the balanceOf() mechanism. The separate balanceIncrease calculation is redundant/wrong. Users pay full debt including interest via userBalance capping.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.