search

sherlock-audit / 2023-01-ajna-judging

1 stars 0 forks source link

yixxas - Borrower can never fully repay debt due to `_revertOnMinDebt()` #91

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

yixxas

high

Borrower can never fully repay debt due to _revertOnMinDebt()

Summary

_revertOnMinDebt() is used to ensure that the total debt a borrower is holding is more than the minimum enforced when borrower draws debt. However, this check is done in repayDebt() as well. This will prevent borrower from paying back the debt below the minimum amount enforced.

Vulnerability Detail

In repayDebt(), pool debt and borrower's debt is subtracted based on how much quote token borrower repays as seen in the code snippet below.

result_.poolDebt -= result_.quoteTokenToRepay;
vars.borrowerDebt -= result_.quoteTokenToRepay;

// check that paying the loan doesn't leave borrower debt under min debt amount
_revertOnMinDebt(loans_, result_.poolDebt, vars.borrowerDebt, poolState_.quoteDustLimit);

The remaining debt amount vars.borrowerDebt is then being checked with revertOnMinDebt(). revertOnMinDebt() enforces that the debt amount must be above the certain amount. This will prevent borrower to fully repay their debt, or to repay it below a certain amount.

Impact

The revertOnMinDebt() seems to be used wrongly here. It will prevent borrowers from paying back their debt fully.

Code Snippet

https://github.com/sherlock-audit/2023-01-ajna/blob/main/contracts/src/libraries/external/BorrowerActions.sol#L274-L278

Tool used

Manual Review

Recommendation

Consider removing the check to prevent this issue from happening.

grandizzy commented 1 year ago

it’s by design to not let one pay debt under dust limit but in full

yixxas commented 1 year ago

Escalate for 5 USDC

As a response to sponsor's comment, I would like to clarify that Borrower can choose the amount of quoteToken to repay. Borrowers are not required to pay back debt in full.

The issue here happens when borrower repays debt such that the remaining amount is less than min debt. They will not be able to make the full repayment thereafter due to this revert.

A better recommendation would be to not do the _revertOnMinDebt if borrower is trying to repay back the debt in full.

sherlock-admin commented 1 year ago

Escalate for 5 USDC

As a response to sponsor's comment, I would like to clarify that Borrower can choose the amount of quoteToken to repay. Borrowers are not required to pay back debt in full.

The issue here happens when borrower repays debt such that the remaining amount is less than min debt. They will not be able to make the full repayment thereafter due to this revert.

A better recommendation would be to not do the _revertOnMinDebt if borrower is trying to repay back the debt in full.

You've created a valid escalation for 5 USDC!

To remove the escalation from consideration: Delete your comment. To change the amount you've staked on this escalation: Edit your comment (do not create a new comment).

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

EdNoepel commented 1 year ago

Unless using a proxy contract, the borrower cannot predict their exact repayment amount, because they do not know in which block their TX will be included, and how much interest will be due at that block height. As such, the user has two choices:

_revertOnMinDebt already skips the check in the case of full repayment, where borrowerDebt_ has decremented to 0.

hrishibhat commented 1 year ago

Escalation rejected

Agreed that _revertOnMinDebt skips the check-in case borrowerDebt_ is zero in case of making full payment.

sherlock-admin commented 1 year ago

Escalation rejected

Agreed that _revertOnMinDebt skips the check-in case borrowerDebt_ is zero in case of making full payment.

This issue's escalations have been rejected!

Watsons who escalated this issue will have their escalation amount deducted from their next payout.