Omniscia Powercity Audit

BorrowerOperations Manual Review Findings

BorrowerOperations Manual Review Findings

BOS-01M: Inexistent Validation of Valid Repayment

TypeSeverityLocation
Logical FaultBorrowerOperations.sol:L310-L313

Description:

The original Liquity codebase's BorrowerOperations::_adjustTrove function would ensure that a debt repayment is valid via the BorrowerOperations::_requireValidLUSDRepayment function, however, this function is no longer present in the codebase nor in use.

Impact:

As no debt repayment validation is performed, it is possible to arbitrarily overpay a debt position and thus lose the funds that were provided over the actual debt amount. This is further permitted as the codebase relocated its BorrowerOperations::_requireAtLeastMinNetDebt invocation and also performs it in an overflow-safe way.

Example:

BorrowerOperations.sol
309// When the adjustment is a debt repayment, check it's a valid amount and that the caller has enough LUSD
310if (!_isDebtIncrease && _LUSDChange > 0) {
311 _requireAtLeastMinNetDebt(_getNetDebt(vars.debt), vars.netDebtChange);
312 _requireSufficientLUSDBalance(contractsCache.lusdToken, _borrower, vars.netDebtChange);
313}

Recommendation:

We advise it to be introduced and properly invoked as it is currently possible to "overpay" debt positions, causing users to misappropriate their funds.

Alleviation (8bedd3b0df6387957e6b8f5d52507e776c1458b0):

The code re-introduced Liquity's original checks, alleviating this exhibit in full.