Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

If the Rtoken Contract is minted with 0 amount, an invalid value is returned.

bshyuunn

01. Relevant GitHub Links

02. Summary

If you mint 0 amount in the Rtoken Contract, an invalid value will be returned.

03. Vulnerability Details

This is a Rtoken::burn function.

function burn(
address from,
address receiverOfUnderlying,
uint256 amount,
uint256 index
) external override onlyReservePool returns (uint256, uint256, uint256) {
if (amount == 0) {
@> return (0, totalSupply(), 0);
}
...

Since the second return value is total supply, the totalSupply() function is doing a good job of returning it.

* @return A tuple containing:
* - uint256: The amount of scaled tokens burned
* - uint256: The new total supply after burning
* - uint256: The amount of underlying asset transferred

However, where the total supply of the Rtoken::mint function should be returned, it returns 0 instead of totalSupply().

function mint(
address caller,
address onBehalfOf,
uint256 amountToMint,
uint256 index
) external override onlyReservePool returns (bool, uint256, uint256, uint256) {
if (amountToMint == 0) {
@> return (false, 0, 0, 0);
}
...

Annotation for the return value of the Rtoken::mint function.

* @return A tuple containing:
* - bool: True if this is the first mint for the recipient, false otherwise
* - uint256: The amount of scaled tokens minted
* - uint256: The new total supply after minting
* - uint256: The amount of underlying tokens minted
*/

Also, the mint function unconditionally returns false for the bool: True if this is the first mint for the recipient, false otherwise when amountToMint is 0. And this problem also exists in the DebtToken::mint function.

04. Impact

  • LendingPool using rTokens prevents minting amounts less than or equal to 1, but this is an obvious misimplementation and a low vulnerability.

05. Tools Used

Manual Code Review and Foundry

07. Recommended Mitigation

function mint(
address caller,
address onBehalfOf,
uint256 amountToMint,
uint256 index
) external override onlyReservePool returns (bool, uint256, uint256, uint256) {
if (amountToMint == 0) {
- return (false, 0, 0, 0);
+ return (false, 0, totalSupply(), 0);
}
...
Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RToken::mint returns 0 instead of actual totalSupply() when amountToMint is 0, causing incorrect data for off-chain systems relying on return values

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RToken::mint returns 0 instead of actual totalSupply() when amountToMint is 0, causing incorrect data for off-chain systems relying on return values

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.