Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Incorrect Calculation of `amountScaled` in the `burn` Function of the `RToken.sol` Contract Cause Users to Burn More RToken than Necessary

eta

Summary

The burn function in RToken.sol incorrectly calculates the scaled amount(amountScaled) by multiplying, not dividing, by the interest rate index, causing users to burn more RToken than necessary and losing their interest earnings.

Vulnerability Details

Core issue:
The current implementation incorrectly calculates the scaled amount using the formula amountScaled = amount * index, instead of amountScaled = amountScaled = amount / index.

This results in a larger number of RToken being burned than necessary, as the amount is multiplied by the interest rate index.

contracts/core/tokens/RToken.sol:burn#L172

function burn(
address from,
address receiverOfUnderlying,
uint256 amount,
uint256 index
) external override onlyReservePool returns (uint256, uint256, uint256) {
...
// @audit: Incorrect amountScaled calculation leads to burning more RToken than necessary.
uint256 amountScaled = amount.rayMul(index);

contracts/libraries/pools/ReserveLibrary.sol:withdraw#L377

function withdraw(
ReserveData storage reserve,
ReserveRateData storage rateData,
uint256 amount,
address recipient
) internal returns (uint256 amountWithdrawn, uint256 amountScaled, uint256 amountUnderlying) {
...
(uint256 burnedScaledAmount, uint256 newTotalSupply, uint256 amountUnderlying) = IRToken(reserve.reserveRTokenAddress).burn(
recipient, // from
recipient, // receiverOfUnderlying
amount, // amount
reserve.liquidityIndex // index
);

Impact

  • User Impact: Users may lose out on their interest earnings as the system burns too many RToken to withdraw necessary underlying asset than intended.

  • Protocol Integrity: The incorrect burning of RToken impacts the protocol's economic model by breaking the 1:1 value peg between RToken and the underlying asset. This can result in an imbalance in the reserve pool and potentially affect the protocol's solvency.

Tools Used

Manual Code Review

Recommendations

It is recommended to correct the calculation of amountScaled and replace the multiplication with division in the burn function to ensure that only the appropriate amount of RToken is burned based on the underlying asset value:

function burn(
address from,
address receiverOfUnderlying,
uint256 amount,
uint256 index
) external override onlyReservePool returns (uint256, uint256, uint256) {
- uint256 amountScaled = amount.rayMul(index);
+ uint256 amountScaled = amount.rayDiv(index);
Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RToken::burn incorrectly calculates amountScaled using rayMul instead of rayDiv, causing incorrect token burn amounts and breaking the interest accrual mechanism

inallhonesty Lead Judge about 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RToken::burn incorrectly calculates amountScaled using rayMul instead of rayDiv, causing incorrect token burn amounts and breaking the interest accrual mechanism

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.