`totalSupply` in DebToken contract is wrongly implemented, leading to `reserve.totalUsage` being set to wrong total usage, breaking core internal logic.
Summary
mint and burn functions in DebtToken contract both use totalSupply()as one of their returned value. The problem is that totalSupply returns an incorrect result.
Indeed, super.totalSupply()returns the total supply of debt tokens. Then, a division by the usage index is executed to retrieve the total amount of debt in terms of underlying asset units, but this is incorrect and it should instead be a multiplication.
When users interact with LendingPool contract through borrow, repay and, repayOnBehalf, or with the stability pool through liquidateBorrower, mintor burnDebtToken functions will be called, returning totalSupply()which is then used to set reserve.totalUsage. This is a serious vulnerability as it will lead to incorrect computation of utilization rate and interest rates.
Impact
The impact of this issue is high as it leads to systematic error when setting reserve.totalUsage when borrowing, repaying or liquidating. This will break internal computation of rates.
Tools Used
Manual review.
Recommendations
Make sure to correctly implement totalSupply in DebtToken contract so that it returns the total supply in underlying asset units:
Lead Judging Commences
DebtToken::totalSupply incorrectly uses rayDiv instead of rayMul, severely under-reporting total debt and causing lending protocol accounting errors
DebtToken::totalSupply incorrectly uses rayDiv instead of rayMul, severely under-reporting total debt and causing lending protocol accounting errors
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.