Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Hyperbeat Pay>Low findings>Incorrect debt and health-factor calculations in MorphoService
GeneralOverview
Findings
Critical (1)
Medium (3)
Low (7)Incorrect selector extraction always returns zeroSpending limit can exceed available settlement balanceBalance calculation in MorphoService does not account for loan market assetsIncorrect debt and health-factor calculations in MorphoServiceManagementAccount returns a stale owner after ownership transferMorpho authorization ignores the amount parameterMissing access control on createAccount enables unlimited proxy-deployment spam
Informational (1)
Indeterminate (2)
DiscussionIncompatible with nonstandard ERC-20 tokensWithdrawal-fee bypass with dust amountsMissing token whitelist validation in ACTION_CUSTOM pathTest suite
DesignComponent: ManagementAccountComponent: ManagementAccountFactoryComponent: ServiceRegistryComponent: TokenWhitelistRegistryComponent: MorphoService
Audit ResultsAssessment Results
Category: Business Logic

Incorrect debt and health-factor calculations in MorphoService

Low Impact
Low Severity
High Likelihood

Description

Both getDebt and getHealthFactor functions contain calculation errors that underestimate debt and produce incorrect health factors.

Debt calculation. The debt calculation uses totalBorrowAssets, which reflects only the last cached state without pending accrued interest and rounds down instead of up (favoring the borrower):

function getDebt(address account) external view override returns (uint256 debt) {
    [...]
    debt = uint256(pos.borrowShares) * uint256(m.totalBorrowAssets) / uint256(m.totalBorrowShares);
}

This issue affects both getDebt and getHealthFactor functions.

Health-factor collateral calculation. The getHealthFactor function incorrectly calculates collateral value by using raw collateral amount instead of converting it to loan-token terms using oracle prices:

function getHealthFactor(address account) external view override returns (uint256) {
    [...]
    // collateralValue = collateral * lltv (loan-to-value)
    // Note: In production, you'd need to get oracle price and compute properly
    // This is simplified for the example
!   uint256 maxBorrow = uint256(pos.collateral) * params.lltv / 1e18;
    [...]
}

The comment acknowledges this limitation, but the function is used in production without proper oracle price conversion.

Impact

Users and off-chain systems see incorrect debt and health-factor information. This may lead users to believe they owe less than they actually do or have inaccurate risk assessments of their positions. It primarily affects UI displays and monitoring systems.

Recommendations

To address the calculation errors, use MorphoBalancesLib::expectedBorrowAssets for debt calculations in both functions, (as recommended in Morpho's documentation, which properly accounts for accrued interest and implements correct rounding behavior), and implement proper oracle price conversion for collateral value in getHealthFactor.

Alternatively, consider removing getDebt and getHealthFactor if they are only used for testing, to avoid confusion from inaccurate calculations.

Remediation

This issue has been acknowledged by Hyperbeat, and a fix was implemented in commit 850808eb. The getDebt and getHealthFactor functions have now been removed.

Zellic © 2025Back to top ↑