Submission Details
Severity:
Incorrect totalSupply returned will lead wrong state update
Summary
The totalSupply returned is incorrect
Vulnerability Details
The totalSupply returned the supply of the DebtToken
/**
* @notice Returns the scaled total supply
* @return The total supply (scaled by the usage index)
*/
function totalSupply() public view override(ERC20, IERC20) returns (uint256) {
uint256 scaledSupply = super.totalSupply();
return scaledSupply.rayDiv(ILendingPool(_reservePool).getNormalizedDebt());
}
However this implementation is wrong and will return the wrong total supply due to a wrong calculation.(It should be multiplied instead of divided.)
Impact
The totalSupply is incorrect and will lead to incorrect state update like the reserve.totalUsage
Tools Used
Manual review
Recommendations
Fix it as follows.
function totalSupply() public view override(ERC20, IERC20) returns (uint256) {
uint256 scaledSupply = super.totalSupply();
@> return scaledSupply.rayMul(ILendingPool(_reservePool).getNormalizedDebt());
}
Updates
Lead Judging Commences
inallhonesty about 2 months ago
Submission Judgement Published Assigned finding tags:
DebtToken::totalSupply incorrectly uses rayDiv instead of rayMul, severely under-reporting total debt and causing lending protocol accounting errors
inallhonesty about 2 months ago
Submission Judgement Published Assigned finding tags:
DebtToken::totalSupply incorrectly uses rayDiv instead of rayMul, severely under-reporting total debt and causing lending protocol accounting errors
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.