Delightful Marmalade Squid - The repayment waterfall logic contradicts documentation: restaker repaid before vault principal, disadvantaging LPs

[sherlock-admin3]

Delightful Marmalade Squid

Medium

The repayment waterfall logic contradicts documentation: restaker repaid before vault principal, disadvantaging LPs

Summary

BorrowLogic.repay() allocates to restaker's unrealized interest before vault principal, which will cause LPs to be repaid later than described in the documentation which promises principal, restaker , interest.

Root Cause

In BorrowLogic.repay():
https://github.com/sherlock-audit/2025-07-cap/blob/2bd34fa369d36af8ecc377090d3292ea74ccc669/cap-contracts/contracts/lendingPool/libraries/BorrowLogic.sol#L124-L150

// @audit first it consumes reserve.unrealizedInterest[agent] ...
if (remaining > reserve.unrealizedInterest[params.agent]) {
    restakerRepaid = reserve.unrealizedInterest[params.agent];
    remaining -= restakerRepaid;
} else {
    restakerRepaid = remaining;
    remaining = 0;
}
uint256 vaultRepaid = Math.min(remaining, reserve.debt);

This contradicts the repayment order stated in the documentation.

When repaying, the protocol prioritizes the repayment of principal debt first, followed by restaker debt, and finally interest debt. 

Internal Pre-conditions

• Agent has both reserve.debt (vault principal/realized) and reserve.unrealizedInterest[agent]
• A partial repay is made.

External Pre-conditions

None

Attack Path

Agent repays just enough to fully pay the restaker's unrealized interest but not the principal.

LPs (vault) stay unpaid longer than expected.

Impact

LPs are economically disadvantaged

PoC

N/A

Mitigation

Reorder the repayment waterfall to match the documentation