Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Incorrect balanceIncrease Calculation in RToken::mint

bshyuunn

01. Relevant GitHub Links

RToken.sol#L130

02. Summary

In the RToken::mint function, the logic to calculate balanceIncrease may produce an incorrect result when the user’s RToken balance has changed due to transfers. Specifically, if a user has never interacted with the protocol but receives RToken via a transfer, _userState[onBehalfOf].index is still zero, so balanceIncrease is never calculated.

03. Vulnerability Details

Since balanceIncrease depends on comparing the current index to a previous index, any user who has an index set to zero will skip this calculation. This means if they received RToken through a transfer, their effective previous index is never updated, leading to a potential mismatch whenever the protocol tries to calculate interest-based increases.

function mint(

address caller,

address onBehalfOf,

uint256 amountToMint,

uint256 index

) external override onlyReservePool returns (bool, uint256, uint256, uint256) {

if (amountToMint == 0) {

return (false, 0, 0, 0);

}

uint256 amountScaled = amountToMint.rayDiv(index);

if (amountScaled == 0) revert InvalidAmount();

uint256 scaledBalance = balanceOf(onBehalfOf);

bool isFirstMint = scaledBalance == 0;

uint256 balanceIncrease = 0;

@> if (_userState[onBehalfOf].index != 0 && _userState[onBehalfOf].index < index) {

balanceIncrease = scaledBalance.rayMul(index) - scaledBalance.rayMul(_userState[onBehalfOf].index);

}

_userState[onBehalfOf].index = index.toUint128();

_mint(onBehalfOf, amountToMint.toUint128());

emit Mint(caller, onBehalfOf, amountToMint, index);

return (isFirstMint, amountToMint, totalSupply(), amountScaled);

}

04. Impact

Although balanceIncrease is not currently used by other parts of the contract, it represents a clearly incorrect implementation. This could become problematic if future protocol features rely on balanceIncrease.

05. Tools Used

Manual Code Review and Foundry

06. Recommended Mitigation

Update the mint function to handle the case where _userState[onBehalfOf].index is zero but the user has received RToken via transfers.

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

RToken::mint skips balanceIncrease calculation for users who received tokens via transfers due to zero userState index, potentially affecting future protocol features

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

RToken::mint skips balanceIncrease calculation for users who received tokens via transfers due to zero userState index, potentially affecting future protocol features

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.