Submission Details
Severity:
Double scaling of amount in RToken#transfer() causes incorrect transfers
Summary
The RToken#transfer() scales amount before calling _update(), but _update() also scales amount.
This results in
amountbeing incorrectly reduced, causing incorrect transfers.The recipient receives less than expected, and the sender loses more than they should.
Vulnerability Details
Current RToken#transfer() Implementation
function transfer(address recipient, uint256 amount) public override(ERC20, IERC20) returns (bool) {
@> uint256 scaledAmount = amount.rayDiv(ILendingPool(_reservePool).getNormalizedIncome());
return super.transfer(recipient, scaledAmount);
}
Current _update() Implementation
function _update(address from, address to, uint256 amount) internal override {
@> uint256 scaledAmount = amount.rayDiv(ILendingPool(_reservePool).getNormalizedIncome());
super._update(from, to, scaledAmount);
}
Instead of sending amount, the recipient receives amount / (index * index).
Impact
The sender loses more tokens than intended - Funds loss.
The recipient receives less than expected.
Tools Used
manual
Recommendations
Remove transfer() to prevent scaling.
Updates
Lead Judging Commences
inallhonesty 10 months ago
Submission Judgement Published Assigned finding tags:
RToken::transfer and transferFrom double-scale amounts by dividing in both external functions and _update, causing users to transfer significantly less than intended
inallhonesty 10 months ago
Submission Judgement Published Assigned finding tags:
RToken::transfer and transferFrom double-scale amounts by dividing in both external functions and _update, causing users to transfer significantly less than intended
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.