Submission Details
Severity:
Wrong event emission
Summary
When rtokens are burned during withdrawal amount scaled should be returned and emitted correctly but this is not done correctly.
Vulnerability Details
/**
* @notice Burns RToken from a user and transfers underlying asset
* @param from The address from which tokens are burned
* @param receiverOfUnderlying The address receiving the underlying asset
* @param amount The amount to burn (in underlying asset units)
* @param index The liquidity index at the time of burning
* @return A tuple containing:
@audit>>> * - uint256: The amount of scaled tokens burned
'
' * - uint256: The new total supply after burning
* - uint256: The amount of underlying asset transferred
*/
function burn(
address from,
address receiverOfUnderlying,
uint256 amount,
uint256 index
) external override onlyReservePool returns (uint256, uint256, uint256) {
if (amount == 0) {
return (0, totalSupply(), 0);
}
uint256 userBalance = balanceOf(from); // BUG burn should first get the balance increase and not just allow user to loses interest
_userState[from].index = index.toUint128();
if(amount > userBalance){
amount = userBalance;
}
uint256 amountScaled = amount.rayMul(index); // Low Wrong not used in another place Divray not raymul
_userState[from].index = index.toUint128();
_burn(from, amount.toUint128());
if (receiverOfUnderlying != address(this)) {
IERC20(_assetAddress).safeTransfer(receiverOfUnderlying, amount);
}
emit Burn(from, receiverOfUnderlying, amount, index);
@audit>>> return (amount, totalSupply(), amount); // Bug low wrong emission emit burned scaled , totalsuply , amount
}
The returned value is amount, total supply, amount
but the arrangement is burnedscaled, totalsupply , underlying
hence the emission during withdrawal will emit wrong values receiver , amount , amount instead of receiver , amount , amount scaled.
function withdraw(
ReserveData storage reserve,
ReserveRateData storage rateData,
uint256 amount,
address recipient
) internal returns (uint256 amountWithdrawn, uint256 amountScaled, uint256 amountUnderlying) {
if (amount < 1) revert InvalidAmount();
// Update the reserve interests
updateReserveInterests(reserve, rateData);
// Burn RToken from the recipient - will send underlying asset to the recipient
@audit>> (uint256 burnedScaledAmount, uint256 newTotalSupply, uint256 amountUnderlying) = IRToken(reserve.reserveRTokenAddress).burn(
recipient, // from not dynamic msg.sender is both reciver and from
recipient, // receiverOfUnderlying
amount, // amount
reserve.liquidityIndex // index
);
amountWithdrawn = burnedScaledAmount; //Wrong
// Update the total liquidity and interest rates
updateInterestRatesAndLiquidity(reserve, rateData, 0, amountUnderlying);
@audit>> emit Withdraw(recipient, amountUnderlying, burnedScaledAmount); // wrong event emission
return (amountUnderlying, burnedScaledAmount, amountUnderlying);
}
Impact
Wrong event emission
Tools Used
manual review
Recommendations
Return value should return amount scaled, total supply , amount.
Updates
Lead Judging Commences
inallhonesty 6 months ago
Submission Judgement Published Assigned finding tags:
RToken::burn emits wrong event info
inallhonesty 6 months ago
Submission Judgement Published Assigned finding tags:
RToken::burn emits wrong event info
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.