Discount Rate Error in Total Supply Calculation

[hats-bug-reporter[bot]]

Github username: -- Twitter username: -- Submission hash (on-chain): 0x86129d372f768cb17731fc0fbafa4540f8f18a3f09e7a84846c4781b377fedb7 Severity: medium

Description: Description

A critical calculation error has been identified in the totalSupply function of the DiscountedBalances contract. This function, when calculating the total supply for a given Circles identifier, only applies a discount based on the number of days since the last update, ignoring daily discount rate changes prior to the last update. This leads to a systematic underestimation of the total supply.

function totalSupply(uint256 _id) public view returns (uint256) {
    DiscountedBalance memory totalSupplyBalance = discountedTotalSupplies[_id];
    uint64 today = day(block.timestamp);
    return _calculateDiscountedBalance(totalSupplyBalance.balance, today - totalSupplyBalance.lastUpdatedDay);
}

Attack Scenario\ Consider the following scenario:

Day 1: 5% discount rate

Day 2: 7% discount rate

Day 3: 6% discount rate

Day 4 (today): 8% discount rate

If the last update was 3 days ago:

Correct calculation: (1-0.05) (1-0.07) (1-0.06) (1-0.08) = 0.7585 (24.15% total discount)

Current implementation: (1-0.08) = 0.92 (only 8% total discount)

This results in an error of approximately 16.15%, which accumulates over time.

Mitigation Strategies

Short-term:Implement a new function that calculates the accurate total supply, considering daily discount rate changes.

[benjaminbollen]

Thank you for your report on the discount rate in total supply calculation. After review, we've determined this is not an issue. The current implementation aligns with our intended design.

We appreciate your participation in this security review.