Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

The burn function in the `RToken.sol` contract returns two identical amounts, causing interest losses for users

eta

Summary

The burn function in RToken.sol incorrectly returns two identical amounts instead of the scaled amount (excluding interest) and the original amount (excluding interest), potentially causing user interest losses and discrepancies in interest distribution.

Vulnerability Details

Core issue:
The burn function currently returns the same value for both the scaled amount and the original amount:

contracts/core/tokens/RToken.sol:burn#L184

function burn(
address from,
address receiverOfUnderlying,
uint256 amount,
uint256 index
) external override onlyReservePool returns (uint256, uint256, uint256) {
return (amount, totalSupply(), amount); // @audit: ❌ Error: Returns identical amounts

Here, both amount values are identical, which is incorrect because one should represent the underlying amount (without interest) and the other should be the scaled amount (with interest) according to the withdraw function in the ReserveLibrary.sol contract:

contracts/libraries/pools/ReserveLibrary.sol:withdraw#L377

function withdraw(
ReserveData storage reserve,
ReserveRateData storage rateData,
uint256 amount,
address recipient
)
internal
returns (
uint256 amountWithdrawn,
uint256 amountScaled,
uint256 amountUnderlying
)
{
//@audit: receive burnedScaledAmount, uint256 newTotalSupply, uint256 amountUnderlying from burn function, not identical amount
(uint256 burnedScaledAmount, uint256 newTotalSupply, uint256 amountUnderlying) = IRToken(reserve.reserveRTokenAddress).burn(
recipient, // from
recipient, // receiverOfUnderlying
amount, // amount
reserve.liquidityIndex // index
);
amountWithdrawn = burnedScaledAmount;
...

Impact

  • Incorrect Financial Calculations: The return values do not align with the expectations of the ReserveLibrary.sol contract. For instance, withdrawing funds may result in miscalculations of how much the user should receive, potentially resulting in asset imbalances.

  • Inconsistent Protocol Vulnerabilities: Returning the same value for both amounts could disrupt the integrity of the protocol's internal state, particularly in calculations relating to interest accrual, token balances, and total supply.

Tools Used

Manual Code Review

Recommendations

It is recommended to correct return values in the burn function of the RToken.sol contract. According to the ReserveLibrary.sol contract, the withdraw function expects to receive two distinct amounts: one representing the scaled amount (including interest) and the other representing the original amount (without interest). The correct return value should be:

function burn(
address from,
address receiverOfUnderlying,
uint256 amount,
uint256 index
) external override onlyReservePool returns (uint256, uint256, uint256) {
...
- return (amount, totalSupply(), amount);
+ amountScaled, // Amount with interest
+ totalSupply(), // Updated total supply
+ amount // Original amount (without interest)
+ );
Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RToken::burn returns incorrect underlying asset amount (amount instead of amountScaled), leading to wrong interest rate calculations

inallhonesty Lead Judge about 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RToken::burn returns incorrect underlying asset amount (amount instead of amountScaled), leading to wrong interest rate calculations

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.