Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Incorrect Return Value Handling in the `deposit` Function of `ReserveLibrary.sol` Contract

eta

Summary

The deposit function in the ReserveLibrary.sol contract receiving the return values incorrectly processes amountScaled as the amountToMint. It causes discrepancies in the interest calculations and could undermine the 1:1 value ratio between RToken and the underlying asset.

Vulnerability Details

Core Issue

  • Mint Return Values: The mint function in the RToken.sol contract returns four values: isFirstMint, amountToMint, totalSupply(), and amountScaled. However, the ReserveLibrary.sol library receiving the return values mistakenly processes amountToMint as amountScaled and vice versa.

  • Incorrect Return Value Handling: In the ReserveLibrary, the mint function’s return values are captured as follows:

contracts/libraries/pools/ReserveLibrary.sol:deposit#L337

function deposit(ReserveData storage reserve,ReserveRateData storage rateData,uint256 amount,address depositor) internal returns (uint256 amountMinted) {
...
(
bool isFirstMint,
uint256 amountScaled, // @audit: ❌ Incorrect - should receive amountToMint, not amountScaled
uint256 newTotalSupply,
uint256 amountUnderlying // @audit: ❌ Incorrect - should receive amountScaled, not amountToMint
) = IRToken(reserve.reserveRTokenAddress).mint(...);
amountMinted = amountScaled; // @audit: ❌ Error! amountScaled is actually amountToMint
```
```solidity
function mint(
address caller,
address onBehalfOf,
uint256 amountToMint,
uint256 index
) external override onlyReservePool returns (bool, uint256, uint256, uint256) {
...
// @audit: return amountToMint before amountScaled
return (isFirstMint, amountToMint, totalSupply(), amountScaled);
}

Impact

  • Incorrect Minting Process: The current implementation leads to a situation where the ReserveLibrary uses the wrong amount (amountScaled) for further calculations. This may cause erroneous token minting, violating the 1:1 peg between RToken and the underlying asset.

  • Excessive Minting: Since amountMinted uses the incorrect value (amountScaled), users may mint more RToken tokens than expected, leading to an imbalance in the supply and demand for the token. This could potentially result in an overvaluation of the RToken and an incorrect interest distribution.

  • Liquidity Pool Discrepancy: Misusing the wrong minted amount can cause issues in the liquidity pool, where the amount of underlying assets may not match the minted RToken, leading to a potential misalignment in the platform’s assets and liabilities.

Tools Used

Manual code review

Recommendations

It is recommended to revise return value Handling to ensure that the deposit function in the ReserveLibrary contract receive correct return values of amountScaled and amountUnderlying from the mint function in the RToken.sol contract.

(
bool isFirstMint,
- uint256 amountScaled,
+ uint256 amountToMint, // Correct: actual minted amount
uint256 newTotalSupply,
- uint256 amountToMint,
+ uint256 amountScaled // Correct: standardized amount
) = IRToken(reserve.reserveRTokenAddress).mint(...);
amountMinted = amountScaled; // Correct: use standardized amount for calculations in the `LendingPool.sol` contract
Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RToken::mint should mint the amountScaled not the amountToMint

inallhonesty Lead Judge about 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RToken::mint should mint the amountScaled not the amountToMint

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.