Submission Details
Severity:
Incorrect total supply calculation in DebtToken
Summary
The total supply is being calculated as:
/**
* @notice Returns the scaled total supply
* @return The total supply (scaled by the usage index)
*/
function totalSupply()
public
view
override(ERC20, IERC20)
returns (uint256)
{
uint256 scaledSupply = super.totalSupply();
return
//@audit multiply
scaledSupply.rayDiv(ILendingPool(_reservePool).getNormalizedDebt());
}
The correct way to do it would be by multiplying by the index instead of dividing to accurately retrieve the previous supply + accrued interests.
Vulnerability Details
Impact
Tools Used
Manual review.
Recommendations
Multiply by the index instead of dividing.
Updates
Lead Judging Commences
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
DebtToken::totalSupply incorrectly uses rayDiv instead of rayMul, severely under-reporting total debt and causing lending protocol accounting errors
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
DebtToken::totalSupply incorrectly uses rayDiv instead of rayMul, severely under-reporting total debt and causing lending protocol accounting errors
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.