Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Incorrect `balanceIncrease` Calculation in `mint` Function

oxelmiguel

Summary

The mint function of the DebtToken contract incorrectly calculates the balanceIncrease because it uses the balanceOf function, which returns a scaled balance adjusted by the normalized debt. This leads to incorrect calculations of the balanceIncrease, resulting in inaccurate debt tracking and potential over- or under-issuance of debt tokens.

Vulnerability Details

Function: mint
Issue: Incorrect calculation of balanceIncrease due to the use of balanceOf, which returns a scaled balance.
Code Location:

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/tokens/DebtToken.sol#L150

uint256 scaledBalance = balanceOf(onBehalfOf); // Returns scaled balance

uint256 balanceIncrease = scaledBalance.rayMul(index) - scaledBalance.rayMul(_userState[onBehalfOf].index); // Incorrect calculation

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/tokens/DebtToken.sol#L223

function balanceOf(address account) public view override(ERC20, IERC20) returns (uint256) {

uint256 scaledBalance = super.balanceOf(account);

return scaledBalance.rayMul(ILendingPool(_reservePool).getNormalizedDebt());

}

Expected Behavior:
The balanceIncrease should be calculated using the unscaled balance (i.e., the raw balance stored in the contract, not adjusted by the normalized debt). The correct calculation should use the scaledBalanceOf function, which returns the unscaled balance.

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/tokens/DebtToken.sol#L274

function scaledBalanceOf(address user) external view returns (uint256) {

return super.balanceOf(user);

}

Actual Behavior:
The function uses balanceOf, which returns a scaled balance, leading to incorrect balanceIncrease calculations.
Root Cause:
The balanceOf function returns a scaled balance adjusted by the normalized debt, while the balanceIncrease calculation assumes an unscaled balance. This inconsistency results in incorrect calculations.

Poc

The formula would be

(userDebtToken * index * index) - (userDebtToken * index * userLastIndex)

userDebtToken = 100

index = 2

userLastIndex = 1

// 100 * 2 * 2 - 100 * 2 * 1 => 200

instead of

// 100 * 2 - 100 -1 => 100

Impact

Incorrect balanceIncrease:
- The balanceIncrease will be calculated incorrectly, leading to inaccurate adjustments to the user's debt balance.
User Trust:
- Users may lose confidence in the protocol if they notice discrepancies in their debt balances or the protocol's financial reporting.

Mitigation

To fix this issue, the mint function should use the scaledBalanceOf function to retrieve the unscaled balance for calculating the balanceIncrease.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago

Submission Judgement Published

Validated

Assigned finding tags:

DebtToken::mint miscalculates debt by applying interest twice, inflating borrow amounts and risking premature liquidations

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.