Submission Details
Severity:
Double scaling of amount in RToken#transfer() causes incorrect transfers
Summary
The RToken#transfer() scales amount before calling _update(), but _update() also scales amount.
This results in
amountbeing incorrectly reduced, causing incorrect transfers.The recipient receives less than expected, and the sender loses more than they should.
Vulnerability Details
Current RToken#transfer() Implementation
function transfer(address recipient, uint256 amount) public override(ERC20, IERC20) returns (bool) {
@> uint256 scaledAmount = amount.rayDiv(ILendingPool(_reservePool).getNormalizedIncome());
return super.transfer(recipient, scaledAmount);
}
Current _update() Implementation
function _update(address from, address to, uint256 amount) internal override {
@> uint256 scaledAmount = amount.rayDiv(ILendingPool(_reservePool).getNormalizedIncome());
super._update(from, to, scaledAmount);
}
Instead of sending amount, the recipient receives amount / (index * index).
Impact
The sender loses more tokens than intended - Funds loss.
The recipient receives less than expected.
Tools Used
manual
Recommendations
Remove transfer() to prevent scaling.
Updates
Lead Judging Commences
inallhonesty 3 months ago
Submission Judgement Published Assigned finding tags:
RToken::transfer and transferFrom double-scale amounts by dividing in both external functions and _update, causing users to transfer significantly less than intended
inallhonesty 3 months ago
Submission Judgement Published Assigned finding tags:
RToken::transfer and transferFrom double-scale amounts by dividing in both external functions and _update, causing users to transfer significantly less than intended
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.