BorrowerOperations Manual Review Findings

BOS-01M: Inexistent Validation of Minimum Net Debt

Type	Severity	Location
Logical Fault		BorrowerOperations.sol:L349

Description:

The BorrowerOPerations::_adjustTrenBox function will not ensure that the minimum net debt requirement is met by the Tren box after the adjustment operation, permitting boxes with less than the minimum to exist.

Impact:

The minimum debt requirement enforced when opening a Tren box is ineffective as it can be bypassed by reducing the debt of a position below the minimum after opening it.

Example:

Copy
346// When the adjustment is a debt repayment, check it's a valid amount and that the caller
347// has enough debt tokens
348if (!_isDebtIncrease && _debtTokenChange != 0) {
349    _requireSufficientDebtTokenBalance(_borrower, vars.netDebtChange);
350}

Recommendation:

We advise the system to properly ensure the minimum net debt is met whenever a debt repayment occurs, preventing the Tren box position from reducing its debt level below the minimum.

Alleviation (f6f1ad0b8f):

The Tren Finance team evaluated this exhibit and stated that it is desirable behavior.

We would like to note that the minimum debt requirement is a protection measure against rounding errors (i.e. free loans), a scalability component (i.e. cost of gas to capture interest), as well as a critical component of the lending protocol borrowing model.

As a result, we advise a minimum debt requirement to be imposed as it would be a harmful feature to the protocol's health.

Alleviation (73b9546eb9):

The Tren Finance team wishes to continue its acknowledgement of the vulnerability despite the significant risks we have outlined in the previous alleviation chapter.

We would like to note that this can ultimately prove harmful to the protocol, and we do not agree with the protocol launching in a state whereby no minimum net debt is imposed.

Alleviation (13f0ca88ab):

The minimum net debt security check has been re-introduced to the codebase, alleviating this exhibit in full.