# #35026 \[SC-Low] \`repayDebt\` in stbtc returns a worng value **Submitted on Sep 2nd 2024 at 22:15:07 UTC by @Bx4 for** [**Audit Comp | Acre**](https://immunefi.com/audit-competition/boost-acre) * **Report ID:** #35026 * **Report Type:** Smart Contract * **Report severity:** Low * **Target:** * **Impacts:** * Contract fails to deliver promised returns, but doesn't lose value * wrong return value ## Description ## Brief/Intro from our preview function and natspec comment we can deduce that \`repayDebt\` is supposed to return assets but it returns shares ## Vulnerability Details from the preview equivalent of the function; \`\`\`solidity function previewRepayDebt(uint256 shares) public view returns (uint256) { return convertToAssets(shares); } \`\`\` we can see that the final return statement returns assets by converting from shares to assets furthermore when we read the comments of \`repayDebt\` we will find this line; \` /// @return assets The amount of debt in asset paid off.\` meaning the final return value that will be expected is assets, however there is \`return shares;\` at the end of the function overwriting everything and returning shares ## Impact Details This returns a wrong value to the caller ## References repayDebt comment - previewRepayDebt - ## Proof of Concept ## Proof of Concept looking at \`repayDebt\` below \`\`\`solidity function repayDebt( uint256 shares @-> ) public whenNotPaused returns (uint256 assets) { assets = convertToAssets(shares); ... ``` emit DebtRepaid(msg.sender, currentDebt[msg.sender], assets, shares); ``` ... super.\_burn(msg.sender, shares); //@audit func is supposed to return debt in assets paid off but rather it returns shares @-> return shares; } \`\`\` we can tell from the function declaration that the function is supposed to return \`assets\`. However the last line returns shares which will overwrite previous intent of returning assets. Another concept is; when you look at \`previewRepayDebt\` below; \`\`\`solidity /// @notice Previews the amount of assets that will be burned for the given /// amount of repaid shares. function previewRepayDebt(uint256 shares) public view returns (uint256) { return convertToAssets(shares); } \`\`\` we will observe that the preview function return assets correctly unlike \`repayDebt\`. The reason why a reference is being made to \`previewRepaydebt()\` is because of the comments below; \`\`\` /// @dev The debtor has to approve the transfer of the shares. To determine /// the asset debt that is going to be repaid, the caller can use /// the \`previewRepayDebt\` function. \`\`\` from the comments we can deduce that the caller is supposed to use the preview function as a point of reference to determine the asset debt that is going to be repaid. Hence, the outcome of \`previewRepayDebt\` is assets in debt to be repaid which is supposed to similar \`repayDebt\` but per our analysis we can see this is not true --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/acre/35026-sc-low-repaydebt-in-stbtc-returns-a-worng-value.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.