Potential Usage Index Mismatch in DebtToken Causing Incorrect Interest Calculations
Summary
The DebtToken contract relies on _usageIndex and getNormalizedDebt() from the LendingPool to track debt growth over time. However, these values may not always be synchronized, leading to misaligned debt calculations.
If _usageIndex and getNormalizedDebt() diverge, users may experience incorrect interest accrual, affecting both borrowers and liquidators.
This issue can cause unexpected overcharges or undercharges in debt calculations, creating financial inconsistencies across the protocol.
Vulnerability Details
In the DebtToken contract, different pieces of code rely on the _usageIndex and the value returned by ILendingPool(_reservePool).getNormalizedDebt() . For instance:
and
The _usageIndex may diverge from what getNormalizedDebt() returns, or be updated at different times, so users' scaled balances can become misaligned with the actual index used for interest accrual, leading to unexpected or incorrect interest calculations.
Impact
Incorrect Interest Calculations
Tools Used
Manual review
Recommendations
Use one single source of truth for debt scaling—either _usageIndex or getNormalizedDebt()
Lead Judging Commences
[INVALID] Unused _usageIndex Variable and updateUsageIndex() Function in DebtToken Contract
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.