Submission Details
Severity:
Incorrect scaling of total supply in the `DebtToken::totalSupply` function.
Summary
The DebtToken::totalSupply function has incorrect logic for scaling the total supply.
Vulnerability Details
The rayDiv is used to scale the totalSupply value, which is incorrect. The rayMul should be used instead; otherwise, it will return an incorrect value.
as done in the balanceOffunction.
function balanceOf(address account) public view override(ERC20, IERC20) returns (uint256) {
uint256 scaledBalance = super.balanceOf(account);
@>> return scaledBalance.rayMul(ILendingPool(_reservePool).getNormalizedDebt());
}
function totalSupply() public view override(ERC20, IERC20) returns (uint256) {
uint256 scaledSupply = super.totalSupply();
@>> return scaledSupply.rayDiv(ILendingPool(_reservePool).getNormalizedDebt());
}
Impact
The totalSupply will return an incorrect value if rayDiv is used instead of rayMul.
Recommendations
function totalSupply() public view override(ERC20, IERC20) returns (uint256) {
uint256 scaledSupply = super.totalSupply();
- return scaledSupply.rayDiv(ILendingPool(_reservePool).getNormalizedDebt());
+ return scaledSupply.rayMul(ILendingPool(_reservePool).getNormalizedDebt());
}
Updates
Lead Judging Commences
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
DebtToken::totalSupply incorrectly uses rayDiv instead of rayMul, severely under-reporting total debt and causing lending protocol accounting errors
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
DebtToken::totalSupply incorrectly uses rayDiv instead of rayMul, severely under-reporting total debt and causing lending protocol accounting errors
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.