Incorrect calculation of the required collateral amount for borrowing. baseAmount.percent(collateralRatio)
Summary
In the LenderCommitmentGroup_Smart, the collateralRatio is the overcollateralization ratio, and a user can borrow collateralAmount * collateralRatio in principal tokens. However, the required collateral amount is calculated incorrectly in the LenderCommitmentGroup_Smart.getCollateralRequiredForPrincipalAmount() function.
Vulnerability Detail
The amount of required collateral for a baseAmount of principal tokens should be baseAmount / collateralRatio. However, in the following code, the required collateral amount is calculated as baseAmount * collateralRatio, which is incorrect.
uint16 public collateralRatio; //the overcollateralization ratio, typically 80 pct
function getCollateralRequiredForPrincipalAmount(uint256 _principalAmount)
public
view
returns (uint256)
{
uint256 baseAmount = _calculateCollateralTokensAmountEquivalentToPrincipalTokens(
_principalAmount
);
//this is an amount of collateral
@> return baseAmount.percent(collateralRatio);
}
function percent(uint256 self, uint16 percentage)
internal
pure
returns (uint256)
{
return percent(self, percentage, 2);
}
function percent(uint256 self, uint256 percentage, uint256 decimals)
internal
pure
returns (uint256)
{
return (self * percentage) / percentFactor(decimals);
}
As a result, the calculated amount of required collateral is less than the actually required amount.
Impact
The comment says that the typical collateralRatio is 80 pct. It means that borrowers can borrow 1.25 times as worthy as his own collateral. This leads to 20 pct loss of fund for liquidity providers.
KupiaSec
high
Incorrect calculation of the required collateral amount for borrowing.
baseAmount.percent(collateralRatio)Summary
In the
LenderCommitmentGroup_Smart, the collateralRatio is the overcollateralization ratio, and a user can borrowcollateralAmount * collateralRatioin principal tokens. However, the required collateral amount is calculated incorrectly in theLenderCommitmentGroup_Smart.getCollateralRequiredForPrincipalAmount()function.Vulnerability Detail
The amount of required collateral for a
baseAmountof principal tokens should bebaseAmount / collateralRatio. However, in the following code, the required collateral amount is calculated asbaseAmount*collateralRatio, which is incorrect.https://github.com/sherlock-audit/2024-04-teller-finance/blob/main/teller-protocol-v2-audit-2024/packages/contracts/contracts/LenderCommitmentForwarder/extensions/LenderCommitmentGroup/LenderCommitmentGroup_Smart.sol#L525-L536
As a result, the calculated amount of required collateral is less than the actually required amount.
Impact
The comment says that the typical collateralRatio is 80 pct. It means that borrowers can borrow 1.25 times as worthy as his own collateral. This leads to 20 pct loss of fund for liquidity providers.
Code Snippet
https://github.com/sherlock-audit/2024-04-teller-finance/blob/main/teller-protocol-v2-audit-2024/packages/contracts/contracts/LenderCommitmentForwarder/extensions/LenderCommitmentGroup/LenderCommitmentGroup_Smart.sol#L525-L536
Tool used
Manual Review
Recommendation
The calculation of the required collateral amount should be corrected.
Duplicate of #96