Double Debt Index Multiplication Causes Overestimated Debt When Minting Debt Tokens
Summary
The mint function in DebtToken.sol mistakenly applies the debt index twice when calculating accrued interest. This double application results in an overestimated debt increase, causing users to accrue more debt than they actually owe.
Vulnerability Details
When minting new debt tokens, the function calls the overridden balanceOf method, which already returns a balance scaled by the normalized debt. The code then multiplies this value again by both the new and old debt indexes to compute the accrued interest. This extra multiplication inflates the computed balanceIncrease, leading to an erroneous debt balance.
Impact
User Overcharge: Users may end up owing more than the correct amount due to an inflated interest component.
Financial Mismanagement: The protocol’s debt accounting becomes unreliable, potentially affecting repayments and interest accrual.
Tools Used
Manual code review
Recommendations
Adjust the interest calculation to work with the raw scaled balance (using the base ERC20 balance) rather than the already indexed balance. For example, modify the code as follows:
Then update the user’s state with the new index accordingly. This change will ensure that the debt index is applied only once.
Lead Judging Commences
DebtToken::mint miscalculates debt by applying interest twice, inflating borrow amounts and risking premature liquidations
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.