The cleanup(...) function in the PositionManager.sol contract is used to deposit remaining users assets back to ROE, repaying debt if any. However the users debt will not be repaid if the user has debt leading to loss of funds for the lenders and the project
Proof of Concept
When cleanup(...) is called it checks if there is an outstanding debt to repay, the first condition checks if amt <= debt but in a situation where the amount is less than the debt amt < debt it means that the debt is not fully repaid and the difference debt - amt is greater than zero but unfortunately this difference is not cached in storage for later repayment (as repay(...) only burns the equivalent debt token owed).
Also, the amount repaid when amt < debt
Lines of code
https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/PositionManager/PositionManager.sol#L89-L109
Vulnerability details
Impact
The
cleanup(...)
function in thePositionManager.sol
contract is used to deposit remaining users assets back to ROE, repaying debt if any. However the users debt will not be repaid if the user has debt leading to loss of funds for the lenders and the projectProof of Concept
When
cleanup(...)
is called it checks if there is an outstandingdebt
to repay, the first condition checks ifamt <= debt
but in a situation where the amount is less than the debtamt < debt
it means that thedebt
is not fully repaid and the differencedebt - amt
is greater than zero but unfortunately this difference is not cached in storage for later repayment (as repay(...) only burns the equivalent debt token owed). Also, the amount repaid whenamt < debt
is sent to the reserve on behalf of the user in exchange for overlying exchange tokens.
The Problem here is that the function does not capture a scenario where the amount repaid is less than the debt
Tools Used
Manual review
Recommended Mitigation Steps
amt < debt
Assessed type
Other