Submission Details
Severity:
Incorrect total supply calculation in DebtToken
Summary
The total supply is being calculated as:
/**
* @notice Returns the scaled total supply
* @return The total supply (scaled by the usage index)
*/
function totalSupply()
public
view
override(ERC20, IERC20)
returns (uint256)
{
uint256 scaledSupply = super.totalSupply();
return
//@audit multiply
scaledSupply.rayDiv(ILendingPool(_reservePool).getNormalizedDebt());
}
The correct way to do it would be by multiplying by the index instead of dividing to accurately retrieve the previous supply + accrued interests.
Vulnerability Details
Impact
Tools Used
Manual review.
Recommendations
Multiply by the index instead of dividing.
Updates
Lead Judging Commences
inallhonesty 10 months ago
Submission Judgement Published Assigned finding tags:
DebtToken::totalSupply incorrectly uses rayDiv instead of rayMul, severely under-reporting total debt and causing lending protocol accounting errors
inallhonesty 10 months ago
Submission Judgement Published Assigned finding tags:
DebtToken::totalSupply incorrectly uses rayDiv instead of rayMul, severely under-reporting total debt and causing lending protocol accounting errors
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.