In this RToken implementation, the standard approve
and permit
functions are not overridden. Since RToken balances do not carry the same value as the underlying asset balance (they must be scaled by rayMul(NormalizedIncome)
), a user could unintentionally allow more tokens than they initially expect.
Behavior: The approve and permit functions in RToken behave the same as in a typical ERC20 token, but the actual token value is scaled by rayMul(NormalizedIncome)
.
Consequence: Because of this scaling, the allowance set through approve or permit might not accurately reflect the real value of the tokens. Users relying on these functions could end up granting a higher allowance than intended.
If users or other contracts rely on the standard ERC20 allowance mechanism, they might unknowingly approve or permit a larger amount of tokens. This discrepancy may lead to unintended token transfers or a loss of precise control over token spending.
Manual Code Review and Foundry
Override the approve
and permit
functions to account for the scaling logic. Ensure that any allowances correctly consider the NormalizedIncome so that the approved amounts match users’ expectations.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.