Closed sherlock-admin closed 11 months ago
I didn’t understand this case. You are probably mistaken in that the transfer here is not to the Vault and therefore your conclusions are incorrect. Vault(VAULT_ADDRESS).transferToken( borrowing.holdToken, address(this), borrowing.borrowedAmount + liquidationBonus );
detectiveking
high
Borrowers are overcharged fees because both
borrowing.dailyRateCollateralBalance
is decremented andborrowing.feesOwed
is incrementedSummary
Currently, we update the fees that a user owes in
_initOrUpdateBorrowing
. Later on, thedailyRateCollateralBalance
is transferred to theLiquidityBorrowingManager
, fees are transferred to the creditor from theLiquidityBorrowingManager
, and then the remaining tokens are transferred to the borrower. However, because we both decrementborrowing.dailyRateCollateralBalance
and incrementborrowing.feesOwed
, the borrower ends up being double charged for the fees.Vulnerability Detail
Let's say that a user has called borrow once, and then calls borrow again in
LiquidityBorrowingManager
. Then,_initOrUpdateBorrowing
inLiquidityBorrowingManager
is called. Let's say the position isn't underwater, so we eventually reach:However, we also call
borrowing.feesOwed += currentFees;
.Then, when we go to repay, we have the following code snippet:
and:
The TLDR here is that some adjusted version (for fees) of the
borrowing.dailyRateCollateralBalance
is added toliquidationBonus
, and thenborrowing.borrowedAmount + liquidationBonus
is transferred to the Vault. Later, in LiquidityManager.sol, we have:So, an already lower amount of token (lower because
currentFees
was subtracted fromborrowing.dailyRateCollateralBalance
as we saw above) is being transferred to the vault, but thencurrentFees
is transferred out again to the creditor. The borrower is therefore being charged twice for the fee.Impact
Borrower is charged twice for the fees
Code Snippet
https://github.com/sherlock-audit/2023-10-real-wagmi/blob/main/wagmi-leverage/contracts/LiquidityBorrowingManager.sol#L942-L947
https://github.com/sherlock-audit/2023-10-real-wagmi/blob/main/wagmi-leverage/contracts/LiquidityBorrowingManager.sol#L548-L636
https://github.com/sherlock-audit/2023-10-real-wagmi/blob/main/wagmi-leverage/contracts/abstract/LiquidityManager.sol#L315
Tool used
Manual Review
Recommendation
I would recommend you just keep track of the total amount of
holdToken
that's been transferred in to date by the borrower, and then send that amount back to theVault
whenrepay
is called. The fees can then be charged on this amount and other processing can also be done on this amount.