Submission Details
Severity:
Incorrect way of calculating totalSupply of DebtToken will cause increase of debt index
Summary
Incorrect way of calculating totalSupply of DebtToken will cause increase of debt index
Vulnerability Details
Total supply fn in the DebtToken contact is not calculated correctly:
function totalSupply() public view override(ERC20, IERC20) returns (uint256) {
uint256 scaledSupply = super.totalSupply();
// should be using rayMult, since super.totalSupply() returns non scaled amount
return scaledSupply.rayDiv(ILendingPool(_reservePool).getNormalizedDebt());
}
Because later this is used to calculate the borrow rate, the usage index and toal usage, will have major implications.
Impact
People will have to return more than they borrowed
People may have problesm with liquidations
Tools Used
Manual review
Recommendations
Updates
Lead Judging Commences
inallhonesty 2 months ago
Submission Judgement Published Assigned finding tags:
DebtToken::totalSupply incorrectly uses rayDiv instead of rayMul, severely under-reporting total debt and causing lending protocol accounting errors
inallhonesty 2 months ago
Submission Judgement Published Assigned finding tags:
DebtToken::totalSupply incorrectly uses rayDiv instead of rayMul, severely under-reporting total debt and causing lending protocol accounting errors
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.