Missing Override for Approve and Permit in RToken
01. Relevant GitHub Links
02. Summary
In this RToken implementation, the standard approve and permit functions are not overridden. Since RToken balances do not carry the same value as the underlying asset balance (they must be scaled by rayMul(NormalizedIncome)), a user could unintentionally allow more tokens than they initially expect.
03. Vulnerability Details
Behavior: The approve and permit functions in RToken behave the same as in a typical ERC20 token, but the actual token value is scaled by
rayMul(NormalizedIncome).Consequence: Because of this scaling, the allowance set through approve or permit might not accurately reflect the real value of the tokens. Users relying on these functions could end up granting a higher allowance than intended.
04. Impact
If users or other contracts rely on the standard ERC20 allowance mechanism, they might unknowingly approve or permit a larger amount of tokens. This discrepancy may lead to unintended token transfers or a loss of precise control over token spending.
05. Tools Used
Manual Code Review and Foundry
06. Recommended Mitigation
Override the approve and permit functions to account for the scaling logic. Ensure that any allowances correctly consider the NormalizedIncome so that the approved amounts match users’ expectations.
Lead Judging Commences
RToken approval mechanism unit mismatch: approve() uses scaled units while transferFrom() uses underlying units, allowing attackers to transfer more tokens than users intended to approve
RToken approval mechanism unit mismatch: approve() uses scaled units while transferFrom() uses underlying units, allowing attackers to transfer more tokens than users intended to approve
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.