Debt token totalSupply returns wrong value
Summary
A debt token is an equity token, the longer a user holds it, the more they should repay. But the token value stays the same, what is changing is the amount of tokens.
Vulnerability Details
TotalSupply should be multiplied by usageIndex, but instead it is divided. Which is wrong, because as time goes value of debt index is increasing by accrued borrow fees
That could be also noticed in different Debt token function. Here scaledBalance is multiplied by usageIndex, not divided.
And such a discrepancy would make no sense. Because at the same time, the quantity of all tokens of all individual users will increase, but the totalSupply will decrease.
Impact
Protocol incorrectly inform about total supply of the tokens, but what is more important, this function is used for calculating income and debt indexes. It is called after burn and mint and this value is assigned to reserve.totalUsage. Later utilization rate is calculated base on proportion between reserve.totalLiquidity and reserve.totalUsage, and base on that protocol calculates lending and borrowing rates (it happens in updateInterestRatesAndLiquidity)
In short it means, that higher totalUsage = higher rates. But because of this division inside totalSupply rates will bo lower that they should be.
Tools Used
Manual Review
Recommendations
rayDiv should be replaced with rayMul
Lead Judging Commences
DebtToken::totalSupply incorrectly uses rayDiv instead of rayMul, severely under-reporting total debt and causing lending protocol accounting errors
DebtToken::totalSupply incorrectly uses rayDiv instead of rayMul, severely under-reporting total debt and causing lending protocol accounting errors
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.