Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Users can't withdraw interest accumulated by their rTokens deposited into `StabilityPool`

alexczm

Summary

The rToken is a rebase token.

The interest accumulated by rTokens deposited in StabilityPool is lost.

Vulnerability Details

RToken is a rebasing token, meaning it increases in balance not in value. rToken balance is derived from the scaledBalance, which remains constant for a user unless they mint/burn (deposit/ withdraw in LendingPool) or transfer.
The key relationship is rToken balance = scaledBalance * liquidityIndex, where index tracks interest accumulation.

User can deposit rTokens in `StabilityPool for additional rewards. A one-to-one amount of deToken is minted.

On withdraw, the deCRVUSDAmount deToken is burned and same amount of rToken is transfered to user.

function withdraw(uint256 deCRVUSDAmount) external nonReentrant whenNotPaused validAmount(deCRVUSDAmount) {

_update();

if (deToken.balanceOf(msg.sender) < deCRVUSDAmount) revert InsufficientBalance();

uint256 rcrvUSDAmount = calculateRcrvUSDAmount(deCRVUSDAmount);

uint256 raacRewards = calculateRaacRewards(msg.sender);

if (userDeposits[msg.sender] < rcrvUSDAmount) revert InsufficientBalance();

userDeposits[msg.sender] -= rcrvUSDAmount;

if (userDeposits[msg.sender] == 0) {

delete userDeposits[msg.sender];

}

@> deToken.burn(msg.sender, deCRVUSDAmount);

@> rToken.safeTransfer(msg.sender, rcrvUSDAmount);

if (raacRewards > 0) {

raacToken.safeTransfer(msg.sender, raacRewards);

}

The problem is that any interest accumulated by rTokens deposited in the StabilityPool is lost. Users can't withdraw more than the amount deposited due to fixed deToken balances (where rToken balances increase as the liquidityIndex increases) and due to the second userDeposits accounting.

Impact

Loss of accumulated interest.

Tools Used

Recommendations

There are different possible solution to address this issue:

wrap rToken in a wrToken that increases in value. eg. similarly to wstEth; allow users to deposit wrToken in StabilityPool;
update deToken and StabilityPool implementation and make deToken to be the wrapped variant of rToken. deToken will be redeemable for deposited rToken and interest accumulated.

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

StabilityPool's userDeposits mapping doesn't update with DEToken transfers or interest accrual, and this combined with RToken transfers causes fund loss and permanent lockup

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.