Submission Details
Severity:
DebtToken::totalSupply returns incorrect value
Vulnerability Details
super.totalSupply() function returns scaledSupply, the external totalSupply function is supposed to return actual amount by multiplying this scaledSupply to usageIndex but instead it is dividing by it, reducing the value further.
Impact
This totalSupply is used inside the LendingPool when borrowing or repaying to calculate reserve.totalUsage. This totalUsage is used to calculate liquidity and utitlizationRate in ReserveLibrary, and these are critical variables so wrong value of totalSupply will cause a lot of damage.
Tools Used
Manual Review
Recommendations
return scaledSupply.rayDiv(ILendingPool(_reservePool).getNormalizedDebt()); // replace this with the below line
return scaledSupply.rayMul(ILendingPool(_reservePool).getNormalizedDebt());
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
DebtToken::totalSupply incorrectly uses rayDiv instead of rayMul, severely under-reporting total debt and causing lending protocol accounting errors
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
DebtToken::totalSupply incorrectly uses rayDiv instead of rayMul, severely under-reporting total debt and causing lending protocol accounting errors
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.