Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Double conversion of balanceIncrease will lead to incorrect minting/burning

ChainProof

Summary

The balanceIncrease is miscalculated due to double conversion.

Vulnerability Details

The balanceIncrease is the increased amount due to interest accrual, but the current implementation doubles-convert the scaledBalance, meaning that an incorrect balanceIncrease will be there

@> uint256 scaledBalance = balanceOf(onBehalfOf);
bool isFirstMint = scaledBalance == 0;
uint256 balanceIncrease = 0;
if (_userState[onBehalfOf].index != 0 && _userState[onBehalfOf].index < index) {
@> balanceIncrease = scaledBalance.rayMul(index) - scaledBalance.rayMul(_userState[onBehalfOf].index);
}

The balanceOf already returns the scaled amount, so there's no need of scaling it again

function balanceOf(address account) public view override(ERC20, IERC20) returns (uint256) {
uint256 scaledBalance = super.balanceOf(account);
return scaledBalance.rayMul(ILendingPool(_reservePool).getNormalizedDebt());
}

This will lead to double conversion and thus incorrect minting of tokens.

The same happened when burning as well. Another instance is R token mint function.

Impact

Double conversion leading to incorrect minting of token

Tools Used

Manual review

Recommendations

To get the interest from last updated index to current index , Get total accumulated balance then substract accumulated value from start to last updated index. Use this line for balanceIncrease

balanceIncrease = scaledBalance - super.balanceOf(user).rayMul(_userState[onBehalfOf].index);
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

DebtToken::mint miscalculates debt by applying interest twice, inflating borrow amounts and risking premature liquidations

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.