Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Overestimation of User Debt Due to Unnecessary Minting of Debt Tokens

mahdikarimi

Summary

The mint function in the debt token contract incorrectly inflates the user’s debt by unnecessarily minting additional debt tokens. This occurs due to the inclusion of balanceIncrease in the minting amount, which already accounts for accrued debt. As a result, users accumulate more debt tokens than they should, leading to an overestimation of their total debt balance.

Vulnerability Details

Affected Function: mint
Code Snippet:

uint256 balanceIncrease = 0;
if (_userState[onBehalfOf].index != 0 && _userState[onBehalfOf].index < index) {
balanceIncrease = scaledBalance.rayMul(index) - scaledBalance.rayMul(_userState[onBehalfOf].index);
}

_userState[onBehalfOf].index = index.toUint128();

// @audit minting balance increase over-estimates user debt balance
uint256 amountToMint = amount + balanceIncrease;
_mint(onBehalfOf, amountToMint.toUint128());
Issue Explanation:
- The balanceIncrease variable represents the accrued debt since the last minting operation.
- When a user holds debt tokens, the usageIndex increases over time, naturally increasing their total debt.
- The function calculates the additional debt accrued since the last mint and adds this amount to the debt tokens being minted, leading to an overestimation of the user’s debt balance.
- The user’s previous debt tokens already account for the increasing usageIndex, so minting additional tokens for this increase results in an unnecessary and inflated debt balance.

Impact

Incorrect Debt Calculation: Users accrue more debt than they actually should.

Steps to Reproduce

A user borrows an amount from the lending pool, minting debt tokens in return.
The usageIndex increases over time, naturally increasing their debt value.
The user borrows again, triggering the mint function.
The function calculates the accrued debt (balanceIncrease) and incorrectly adds it to the new mint amount.
The user’s debt tokens are over-minted, inflating their overall debt balance.

Suggested Fix

Modify the mint function to exclude balanceIncrease from the minting calculation, ensuring only new debt tokens corresponding to the borrowed amount are minted:
uint256 amountToMint = amount; // Remove balanceIncrease from minting

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

DebtToken::mint miscalculates debt by applying interest twice, inflating borrow amounts and risking premature liquidations

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!