`rayMul` should be used in DebtToken totalSupply
Summary
In the DebtToken contract, both totalSupply and balanceOf functions should account for the current index of the debt. While balanceOf is correctly implemented, totalSupply is not. Instead of using rayMul, the totalSupply function incorrectly uses rayDiv, leading to inaccurate calculations.
Vulnerability Details
The totalSupply function in the DebtToken contract is designed to return the total supply of debt tokens adjusted by the normalized debt index. However, the current implementation uses rayDiv instead of rayMul to adjust the scaled supply. This results in an incorrect computation of the total supply, as the division operation inverts the intended scaling.
Impact
The incorrect computation of totalSupply in the DebtToken contract will lead to inconsistencies in the accounting of debt. Users and external systems relying on this value will receive inaccurate data, potentially affecting operations such as debt calculations, interest accruals, and financial reporting.
Tools Used
The issue was identified through manual code review.
Recommendations
To fix the issue, replace rayDiv with rayMul in the totalSupply function of the DebtToken contract. This ensures that the total supply is correctly adjusted by the normalized debt index.
This change will align the totalSupply function with the intended logic and ensure accurate debt calculations.
Lead Judging Commences
DebtToken::totalSupply incorrectly uses rayDiv instead of rayMul, severely under-reporting total debt and causing lending protocol accounting errors
DebtToken::totalSupply incorrectly uses rayDiv instead of rayMul, severely under-reporting total debt and causing lending protocol accounting errors
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.