LendingPool
contract are using reserve.totalUsage
that populated by returned value of DebtToken::totalSupply
when calculating the utilization rate, but the implementation of DebtToken::totalSupply
is wrong leading to incorrect state used for the whole protocol core function.
ReserveLibrary::updateInterestRatesAndLiquidity
is a part of core function borrow
, _repay
, finalizeLiquidation
where it is needed to update the state of interest rate and the utilization rate.
the above three function have the same pattern, where they first update the reserve.totalUsage
before calling ReserveLibrary.updateInterestRatesAndLiquidity
, I provide the example in borrow function:
we can notice that newTotalSupply
value is returned by the mint function of DebtToken
. let's dive into the function:
the value are from totalSupply
function like below:
this is where the issue happen, the super.totalSupply
value is already on it scaled version but the function totalSupply
is dividing super.totalSupply
amount by the current index instead of multiplying it before return it. The correct amount returned should be the normalized version, because it would reflect the underlying asset borrowed by the borrower plus the interest accrued.
this clearly an issue because of reserve.totalUsage
would later have lower amount than it supposed to be, leading to the protocol thinking that it utilization rate are below the what it supposed to be, this can lead to wrong index which can affect the accuracy of whole protocol.
manual review
use rayMul
instead of rayDiv
:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.