Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Incorrect balance calculation in calculateDustAmount

x1485967

Summary

The balance calculation in calculateDustAmount is incorrect.

Vulnerability Details

In calculateDustAmount function, we expect to calculate the dust balance, it means current balance in this RToken contract - all funds which belong to lenders. The owner can transfer this part of dust direclty.

In calculationDustAmount(), we calculate the contractBalance with balanceOf(address(this)).rayDiv(getNormalizedIncome). This is incorrect. Because IERC20(_assetAddress).balanceOf(address(this)) already means that the current balance for underlying assets. We should not calculate the scaled amount.

function calculateDustAmount() public view returns (uint256) {
// Calculate the actual balance of the underlying asset held by this contract
uint256 contractBalance = IERC20(_assetAddress).balanceOf(address(this)).rayDiv(ILendingPool(_reservePool).getNormalizedIncome());

Impact

This will cause contractBalance will be less than expected. The owner may fail to withdraw these dust.

Tools Used

Manual

Recommendations

Use IERC20(_assetAddress).balanceOf(address(this)) as contractBalance directly.

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RToken::calculateDustAmount incorrectly applies liquidity index, severely under-reporting dust amounts and permanently trapping crvUSD in contract

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.