Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Over-Issuance of Debt in `mint` Function

oxelmiguel

Summary

The mint function of the DebtToken contract incorrectly adds the balanceIncrease to the amount when minting new debt tokens. This is an error because the balanceIncrease is already tracked by the index and does not need to be added each time a user borrows. This leads to over-issuance of debt tokens, resulting in inflated user balances and incorrect accounting.

Vulnerability Details

  • Issue: Incorrect addition of balanceIncrease to the amount when minting debt tokens.

  • Code Location:

    uint256 amountToMint = amount + balanceIncrease; // @audit Don't need to mint balanceIncrease since it's tracked by index

  • Expected Behavior:
    The balanceIncrease should not be added to the amount when minting debt tokens because it is already accounted for by the index. The correct calculation should only mint the amountScaled:

    uint256 amountToMint = amount; // Correct: Do not add balanceIncrease

  • Actual Behavior:
    The function adds the balanceIncrease to the amount, resulting in over-issuance of debt tokens.

  • Root Cause:
    The logic for calculating the amountToMint incorrectly includes the balanceIncrease, which is already tracked by the index. This leads to double-counting of the balance increase and inflates the user's debt balance.

Poc

run in DebtToken.test.js

it("should mint excess debt to user", async function () {
const mintAmount = ethers.parseEther("100");
const initialIndex = RAY;
const newIndex = RAY * 11n / 10n; // 1.1 RAY = 10% increase
console.log("Minting tokens for interest test");
await debtToken.connect(mockLendingPoolSigner).mint(user1.address, user1.address, mintAmount, initialIndex);
console.log("Setting new normalized debt");
await mockLendingPool.setNormalizedDebt(newIndex);
const balance = await debtToken.balanceOf(user1.address);
let expectedBalance = mintAmount * newIndex / RAY;
console.log("Balance after interest:", balance.toString());
console.log("Expected balance:", expectedBalance.toString());
expect(balance).to.equal(expectedBalance);
console.log("Minting new debt tokens for interest test");
await debtToken.connect(mockLendingPoolSigner).mint(user1.address, user1.address, mintAmount, newIndex);
expectedBalance = mintAmount/* no interest are accured */ + balance;
console.log("Expected balance:", expectedBalance.toString());
console.log("Balance after mint:", (await debtToken.balanceOf(user1.address)).toString());
});

Impact

  1. Over-Issuance of Debt Tokens:

    • Users receive more debt tokens than they should, leading to inflated balances and incorrect accounting.

  2. Incorrect Debt Tracking:

    • The protocol's debt tracking becomes inaccurate, as the balanceIncrease is double-counted (once by the index and once by the minting logic).

  3. Financial Loss:

    • Over-issuance of debt tokens lead to financial losses for the user, as users may owe less than their actual debt and can easly be liquidated.

Mitigation

To fix this issue, the mint function should be updated to exclude the balanceIncrease from the amountToMint.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

DebtToken::mint miscalculates debt by applying interest twice, inflating borrow amounts and risking premature liquidations

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.