Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

`balanceIncrease` Counting Double Interests in the Mint Function of `DebtToken.sol` Contract

eta

Summary

In the DebtToken contract, the mint function calculates the balanceIncrease by multiplying the index difference with the value returned by the balanceOf function, which already includes interest. This results in double-counting of interest, inflating debt balances and potentially causing users to overpay or disrupting the system's economic model.

Vulnerability Details

The issue arises when the balanceIncrease is calculated using the balanceOf function, which already accounts for interest. This leads to an inflated balance when calculating the increase in debt, as the interest is counted twice—once in the balanceOf function and once during the balanceIncrease calculation.

contracts/core/tokens/DebtToken.sol:mint#L150-L156

function mint(
address user,
address onBehalfOf,
uint256 amount,
uint256 index
) external override onlyReservePool returns (bool, uint256, uint256) {
//@audit ❌ Error: Using balance that already includes interest
uint256 scaledBalance = balanceOf(onBehalfOf);
bool isFirstMint = scaledBalance == 0;
uint256 balanceIncrease = 0;
if (_userState[onBehalfOf].index != 0 && _userState[onBehalfOf].index < index) {
balanceIncrease =
scaledBalance.rayMul(index) -
scaledBalance.rayMul(_userState[onBehalfOf].index);
}
}

contracts/core/tokens/DebtToken.sol:balanceOf#L225

function balanceOf(address account) public view returns (uint256) {
uint256 scaledBalance = super.balanceOf(account);
// @audit Already includes interest calculation
return scaledBalance.rayMul(ILendingPool(_reservePool).getNormalizedDebt());
}

Scenario:

  1. The user initially borrows 100 ETH.

  2. Old index = 1.0

  3. New index = 1.1

Incorrect calculation:

  • balanceOf returns = 100 * 1.1 = 110 ETH

  • balanceIncrease = 110 * 1.1 - 110 * 1.0
    = 121 - 110
    = 11 ETH // ❌ Interest is inflated

Correct calculation should be:

  • balanceIncrease = 100 * 1.1 - 100 * 1.0
    = 110 - 100
    = 10 ETH

Impact

  • Interest Overinflation: Interest is incorrectly compounded by using an already interest-included balance.

  • Excessive User Debt: Users' debt balances are artificially inflated, leading to overpayments. Users may end up repaying more than their original debt due to the compounded interest error.

  • Economic Model Disruption: The system's debt calculations become inaccurate, impacting the economic security and balance of the system.

Tools Used

Manual code review

Recommendations

It is recommended to correct balanceIncrease calculation and use the unscaled balance (before interest) for balanceIncrease calculation.

function mint(
address user,
address onBehalfOf,
uint256 amount,
uint256 index
) external override onlyReservePool returns (bool, uint256, uint256) {
// ... other code ...
// ✅ Use raw unscaled balance for correct interest calculation
- uint256 scaledBalance = balanceOf(onBehalfOf);
+ uint256 scaledBalance = scaledBalanceOf(onBehalfOf);
bool isFirstMint = scaledBalance == 0;
uint256 balanceIncrease = 0;
if (_userState[onBehalfOf].index != 0 && _userState[onBehalfOf].index < index) {
balanceIncrease =
scaledBalance.rayMul(index) -
scaledBalance.rayMul(_userState[onBehalfOf].index);
}
// ... other code ...
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

DebtToken::mint miscalculates debt by applying interest twice, inflating borrow amounts and risking premature liquidations

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!