Incorrect Scaling in Total Supply Calculation Results in Underestimated Debt
Summary
The totalSupply function incorrectly scales the stored total supply by dividing it with the normalized debt, rather than multiplying. This error leads to an underestimation of the protocol’s total outstanding debt.
Vulnerability Details
https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/tokens/DebtToken.sol#L232-L235
While the overridden balanceOf method correctly multiplies the raw balance with the normalized debt to represent the actual debt, the totalSupply function instead divides the raw total supply. This inversion in the scaling operation creates a misrepresentation of the overall debt, affecting the protocol's financial metrics.
Impact
Inaccurate Metrics: The total outstanding debt is reported lower than it truly is, misleading users and stakeholders.
Operational Discrepancies: Inconsistent scaling may cause further issues in interest calculations and liquidity assessments.
Tools Used
Manual review
Recommendations
Modify the totalSupply function to multiply the raw total supply with the normalized debt. For example, update the function as shown:
This correction will align the total supply calculation with the balanceOf function and ensure accurate debt representation.
Lead Judging Commences
DebtToken::totalSupply incorrectly uses rayDiv instead of rayMul, severely under-reporting total debt and causing lending protocol accounting errors
DebtToken::totalSupply incorrectly uses rayDiv instead of rayMul, severely under-reporting total debt and causing lending protocol accounting errors
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.