`balanceOf` function incorrectly returns the **unscaled** debt
Summary
The balanceOf function in RToken and DebtToken incorrectly returns the unscaled debt balance instead of the scaled balance. This could lead to miscalculations in user debt tracking, causing inconsistencies in liquidation, interest accrual, and repayment calculations.
Vulnerability Details
The function is intended to return the scaled debt balance of a user but instead returns the unscaled balance due to an incorrect multiplication operation:
Issue Breakdown:
The function retrieves the scaled debt balance from the parent ERC20 contract:
uint256 scaledBalance = super.balanceOf(account);It then incorrectly multiplies it by the normalized debt index (
getNormalizedDebt()):return scaledBalance.rayMul(ILendingPool(_reservePool).getNormalizedDebt());rayMul(getNormalizedDebt())converts the scaled balance to an unscaled balance, which contradicts the function’s intended purpose of returning the scaled balance.
Correct Behavior:
The function should return
scaledBalancewithout modification, as it already represents the scaled debt balance.
Impact
Debt tracking inconsistencies: Borrowers’ balances may be reported incorrectly.
Incorrect liquidations: Users may be liquidated at the wrong debt thresholds.
Erroneous interest calculations: Interest accrual and repayments may be miscalculated.
Potential financial loss: Users may overpay or underpay their debts due to incorrect balance representations.
Tools Used
Manual Review
Recommendations
Remove the multiplication by
getNormalizedDebt(), ensuring the function returns the correctly scaled debt balance:function balanceOf(address account) public view override(ERC20, IERC20) returns (uint256) {return super.balanceOf(account); // Correctly returns the scaled balance}
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.