Double scaling logic implementation in `rToken` contract leads to locked funds
Summary
Vulnerability Details
On deposit-ing to LendingPool, the amount of reserveAssets is transfered to pool and rToken::mint is called (via reserveLibrary).
The same amount is passed to internal OZ ERC20 _mint() function which calls _update().
_update is overridden by rToken to add scaling logic.
transfer is overridden too and implements same logic and then the parent's transfer is invoked with scaledAmount as argument.
If we follow the parent's transfer call chain, the transfer calls OZ's ERC20::_transfer -> _update
-> rToken::_update -> OZ ERC20::_update
We can observe that on rToken transfer, the same scaling is applied twice, resulting in a lower actual amount transferred.
The rToken::transferFrom is called in StabilityPool::withdraw, transferring less value than intended. The delta amount is locked in contract.
Impact
Locked rToken assets in StabilityPool;
Tools Used
Recommendations
The ERC20::_update is called from all contexts that changes balances. Remove scaling from rToken::transfer and transferFrom
Lead Judging Commences
RToken::transfer and transferFrom double-scale amounts by dividing in both external functions and _update, causing users to transfer significantly less than intended
RToken::transfer and transferFrom double-scale amounts by dividing in both external functions and _update, causing users to transfer significantly less than intended
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.