Obedient Lava Monkey
Medium
In validateRepay, the lack of a check to ensure that amountSent does not exceed debt will cause a loss of funds for users as excess repayments may be locked or mismanaged.
In ValidationLogic.sol:469, the validateRepay function checks that amountSent is non-zero and that the user has an outstanding debt. However, it does not verify if amountSent exceeds the debt. Without this check, any excess amount sent beyond the user's debt is accepted without proper handling, leading to potential loss or locking of funds. This omission can cause discrepancies in fund management and result in users losing their excess repayments.
- A user must call
repay()to send a repayment amount (amountSent). - The user must have a debt (
debt) greater than zero.
- No external conditions are required as this is an internal logic issue.
- The user calls
repay()with anamountSentgreater than the actualdebt. - The
validateRepayfunction processes the repayment without checking ifamountSentexceeds thedebt. - The excess funds are not properly handled, leading to potential loss or mismanagement.
The user suffers an approximate loss equal to the excess amount sent over the actual debt. The protocol locks or mismanages these excess funds.
Add a check in validateRepay to ensure that amountSent does not exceed the user's debt.