Enhance rounding for scaled tokens to mitigate minor insolvency

[xuwinnie]

Vulnerable Functions

The following three AToken functions all round the result to the nearest integer, which may bring minor insolvency to the protocol.

function _mintScaled(address caller, address onBehalfOf, uint256 amount, uint256 index) {
    uint256 amountScaled = amount.rayDiv(index);
    ...
    _mint(onBehalfOf, amountScaled.toUint128());
}

function _burnScaled(address user, address target, uint256 amount, uint256 index) {
    uint256 amountScaled = amount.rayDiv(index);
    ...
    _burn(user, amountScaled.toUint128());
}

function balanceOf(address user) (IncentivizedERC20, IERC20) returns (uint256) {
    return super.balanceOf(user).rayMul(POOL.getReserveNormalizedIncome(_underlyingAsset));
}

Mitigation

Enhance rounding for scaled tokens (including AToken and VariableDebtToken) so that rounding always act in the direction that protects the protocol (instead of having some cases benefiting the user).

Rounding used

AToken.mint: ROUNDING.DOWN
AToken.burn: ROUNDING.UP
AToken.balanceOf: ROUNDING.DOWN

VariableDebtToken.mint: ROUNDING.UP
VariableDebtToken.burn: ROUNDING.DOWN
VariableDebtToken.balanceOf: ROUNDING.UP

New Dependency

RayMathExplicitRounding.sol, which is also used in StaticAToken's implementation.

[height]

Link Height tasks by mentioning a task ID in the pull request title or commit messages, or description and comments with the keyword link (e.g. "Link T-123").

💡Tip: You can also use "Close T-X" to automatically close a task when the pull request is merged.