Core Contracts

Summary

In the mint function of the RToken contract, a variable balanceIncrease is calculated to capture the accrued interest (i.e., the increase in the user's balance due to a higher liquidity index) since the last update. However, this computed value is never applied to the user's minted balance or stored for subsequent calculations. As a result, users do not receive credit for the interest accrued on their existing holdings when new tokens are minted, leading to inaccurate accounting of user balances.

Vulnerability Details

1. Accrued Interest Calculation:

   The mint function includes the following snippet intended to calculate the accrued interest:

   uint256 balanceIncrease = 0;

   if (_userState[onBehalfOf].index != 0 && _userState[onBehalfOf].index < index) {

   balanceIncrease = scaledBalance.rayMul(index) - scaledBalance.rayMul(_userState[onBehalfOf].index);

   }

   This calculation computes the difference between the user's scaled balance adjusted to the new liquidity index and the scaled balance adjusted to the previous index. The intention is to determine how much extra balance the user should receive as a result of accrued interest.

2. Unused balanceIncrease:

   Despite calculating balanceIncrease, the variable is not incorporated into any subsequent logic. Neither is it added to the minted token amount nor used to update the internal user state. This omission means that any additional tokens that should be credited to the user because of accrued interest are effectively ignored.

3. Consequences in Minting Logic:

   • Inaccurate User Balances:
     Users will not receive the full value reflecting the accrued interest when minting new tokens. Their actual balance will be lower than what the protocol's interest accrual model suggests.

Proof-of-Concept (POC) Example

Assume:

• A user has an existing scaled balance that, when adjusted to the current liquidity index, should reflect 100 tokens.

• The liquidity index increases from oldIndex to newIndex such that the accrued interest would add an extra 5 tokens (i.e., balanceIncrease should equal 5).

• During a subsequent mint operation, the function computes:

  balanceIncrease = scaledBalance.rayMul(newIndex) - scaledBalance.rayMul(oldIndex); // Expected to be 5

• Since balanceIncrease is not added to the minted amount or stored, the user’s effective balance remains at 100 tokens instead of the intended 105 tokens.

Impact

• Undercredited Balances:
  Users miss out on interest accrual, receiving fewer tokens than they are entitled to, which directly impacts their yield.

Tools Used

Manual review

Recommendations

1. Integrate the Accrued Interest:

   • Update the minting logic to incorporate the balanceIncrease value. For example, add balanceIncrease to the user's minted balance or adjust the user's scaled balance accordingly.

2. Revise the User State Update:

   • Ensure that the user’s state (including their last recorded liquidity index) is updated correctly after applying the accrued interest, so future calculations are based on the proper baseline.