`balanceIncrease` in Debt Token contract is wrongly computed, leading to incorrect `Mint` event emission.
Summary
balanceIncrease in Debt Token contract is computed as follows:
This is incorrect because scaledBalance is calculated like so:
with balanceOf returning the the debt balance in underlying assets unit:
This means that when computing balanceIncrease with:
balanceIncrease = scaledBalance.rayMul(index) - scaledBalance.rayMul(_userState[onBehalfOf].index);
We actually apply a multiplication scaling by the index for the second time, given that scaledBalance is already in underlying assets unit.
Vulnerability Details
Because balanceIncrease is incorrect and greater than it should, Mint event will be emitted with wrong values:
Impact
The impact of this issue is medium as it leads to event emission with incorrect data, leading to important front-end integration issues.
Tools Used
Manual review
Recommendations
Make sure to correctly compute the balanceIncrease, using underlying assets unit:
This solution uses super.balanceOf to retrieve the balance in debt token unit. We can then multiply by the index and the last index of the user to get the correct balance increase in underlying assets unit.
Lead Judging Commences
DebtToken::mint miscalculates debt by applying interest twice, inflating borrow amounts and risking premature liquidations
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.