DebtToken does not mint debt properly according to index
Vulnerability Details
At DebtToken::mint(), the token amount passed to _mint() is a normal token amount, this is not correct. It must be the scaled amount to properly account for historical accrued debt.
For example when user does LendinPool::borrow() we see that the mint amount parameters is in token decimals, see borrow logic here, which will be just minted on DebtToken here.
If you read from the lines above we see that amountToMint is calculated by the amount in normal token decimals and the balanceIncrease. However this is incorrect.
For interest bearing tokens tracked in an index-based manner like DebtToken mirroring AAVE debt tokens, the mint amount must be rayDiv() down with the index to not account for previous debt accrued in the system. This type of tokens are named ScaledBlanceTokens on AAVE and both, the aToken and the debtToken, on AAVE inherit from the same contract named like so.
A very good explanation on why minting ScaledBalanceTokens must behave like this can be found on the AAVE book aToken section here.
You can also check AAVE VariableDebtToken code to see it should be the scaled amount, here. The contract just linked is inherited by VariableDebtToken, see here.
Impact
Users are minted a higher amount of debt than they should.
Recommendations
You have to mint a scaledAmount. Like the already calculated a few lines above here.
Lead Judging Commences
DebtToken::mint miscalculates debt by applying interest twice, inflating borrow amounts and risking premature liquidations
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.