LendingPool: Lenders Lose their assets Upon Withdrawal
Summary
When users deposit money into the lending pool, they should earn interest over time. However, due to a mistake in the withdraw users get less than their deposited assets, without any interest.
Vulnerability Details
Bug Scenario:
A user deposits 100 assets into the pool when lendingIndex = 2
He receives 100 / 2 = 50 RTokens (User balance = 50 RTokens).
The user calls withdraw(50).
It calls RToken.burn(amount=50).
Inside burn() function:
_burn(amount=50) is called, which burns the entire user balance (50 RTokens).
50 assets are transferred back to the user
So It burns 50 tokens and transfers 50 assets to user ignoring the index scaling
As a result, the user deposited 100 assets and only can withdraw 50 assets.
Impact
Lenders lose their assets when they deposit into LendingPool and withdraw
Tools Used
vscode
Recommendations
inside RToken.burn function, burn amount/index of RTokens:
Lead Judging Commences
RToken::burn incorrectly calculates amountScaled using rayMul instead of rayDiv, causing incorrect token burn amounts and breaking the interest accrual mechanism
RToken::burn incorrectly burns amount (asset units) instead of amountScaled (token units), breaking token economics and interest-accrual mechanism
RToken::burn incorrectly calculates amountScaled using rayMul instead of rayDiv, causing incorrect token burn amounts and breaking the interest accrual mechanism
RToken::burn incorrectly burns amount (asset units) instead of amountScaled (token units), breaking token economics and interest-accrual mechanism
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.