Incorrect DebtToken::totalSupply Calculation
01. Relevant GitHub Links
02. Summary
The totalSupply() function in DebtToken returns the wrong total supply because it uses rayDiv instead of rayMul. This leads to an incorrect result when the actual intention is to scale the supply upwards by getNormalizedDebt(). As a result, any logic depending on this total supply value—such as updating reserve.totalUsage in the lending pool—receives invalid data.
03. Vulnerability Details
super.totalSupply() already returns a scaled amount. To get the correct total supply, it should multiply by getNormalizedDebt() rather than dividing by it.
The returned total supply becomes incorrect, which cascades into other functions (such as mint and burn return values) and distorts how reserve.totalUsage is determined in the lending pool contract.
04. Impact
Incorrect Accounting: Any calculation relying on DebtToken::totalSupply() is skewed.
Misleading Reserve Data: The lending pool’s
reserve.totalUsageuses a wrong total supply and may trigger logic errors related to interest rate calculations or debt thresholds.Possible Financial Mismatch: Over time, improper debt or interest calculations can lead to financial imbalances and affect user positions.
05. Tools Used
Manual Code Review and Foundry
07. Recommended Mitigation
Lead Judging Commences
DebtToken::totalSupply incorrectly uses rayDiv instead of rayMul, severely under-reporting total debt and causing lending protocol accounting errors
DebtToken::totalSupply incorrectly uses rayDiv instead of rayMul, severely under-reporting total debt and causing lending protocol accounting errors
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.