Submission Details
Severity:
Non-scaled amount of DebtTken is minted in `DebtToken::mint` function instead of scaled amount
Vulnerability Details
After initializing amountToMint by adding balanceIncrease to amount, both of which are non-scaled, it should be converted to a scaled version by dividing by index. Then, the _mint function is triggered.
Impact
Incorrect calculations.
Tools Used
Manual review.
Recommendations
Make the following changes to the DebtToken::mint function.
uint256 balanceIncrease = 0;
if (_userState[onBehalfOf].index != 0 && _userState[onBehalfOf].index < index) {
balanceIncrease = scaledBalance.rayMul(index) - scaledBalance.rayMul(_userState[onBehalfOf].index);
}
_userState[onBehalfOf].index = index.toUint128();
- uint256 amountToMint = amount + balanceIncrease
+ uint256 amountToMint = (amount + balanceIncrease).rayDiv(index);
_mint(onBehalfOf, amountToMint.toUint128());
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
DebtToken::mint miscalculates debt by applying interest twice, inflating borrow amounts and risking premature liquidations
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
DebtToken::mint miscalculates debt by applying interest twice, inflating borrow amounts and risking premature liquidations
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.