Submission Details
Severity:
The `amountMinted` should be add to `user.scaledDebtBalance` state instead of `scaledAmount` in the `LendingPool::borrow` function
Vulnerability Details
In the DebtToken::mint function, there is a calculation for balanceIncrease, and this variable is added to the amount. Therefore, scaledAmount and amountMinted are not necessarily the same. As a result, amountMinted should be added to user.scaledDebtBalance state here.
Impact
This can lead to incorrect calculations.
Tools Used
Manual review.
Recommendations
Make the following changes to the LendingPool::borrow function.
uint256 scaledAmount = amount.rayDiv(reserve.usageIndex);
// Mint DebtTokens to the user (scaled amount)
(bool isFirstMint, uint256 amountMinted, uint256 newTotalSupply) = IDebtToken(reserve.reserveDebtTokenAddress).mint(msg.sender, msg.sender, amount, reserve.usageIndex);
// Transfer borrowed amount to user
IRToken(reserve.reserveRTokenAddress).transferAsset(msg.sender, amount);
- user.scaledDebtBalance += scaledAmount;
+ user.scaledDebtBalance += amountMinted;
Updates
Lead Judging Commences
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
LendingPool::borrow tracks debt as user.scaledDebtBalance += scaledAmount while DebtToken mints amount+interest, leading to accounting mismatch and preventing full debt repayment
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.