Description:
The getBorrowBalance function returns the borrow balance for the vault without including the current interests.
Fuji V2 protocol uses this value to calculate the amount of debt assets to be paid back by users and it returns a lower number than the actual one.
The severity of this issue has been decreased because the exploit requires the provider's token to never accrue interests which is very unlikely to happen as many users interact with the token on a daily basis.
Recommendation:
• Use the current borrow balance for the user. This can be achieved using the libcompound library (see references).
Where: https://github.com/Fujicracy/fuji-v2/blob/ab02d2308797577973ac358af8c7aadf973bcec7/packages/protocol/src/providers/mainnet/CompoundV2.sol#L197
Description: The getBorrowBalance function returns the borrow balance for the vault without including the current interests.
Fuji V2 protocol uses this value to calculate the amount of debt assets to be paid back by users and it returns a lower number than the actual one.
The severity of this issue has been decreased because the exploit requires the provider's token to never accrue interests which is very unlikely to happen as many users interact with the token on a daily basis.
Recommendation: • Use the current borrow balance for the user. This can be achieved using the libcompound library (see references).