Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

`withdraw` Function Returns Incorrect Double `amountUnderlying` Value in the `ReserveLibrary.sol` Contract

eta

Summary

The withdraw function returns two amountUnderlying values in the ReserveLibrary.sol contract. This causes the LendingPool.sol contract's withdraw function to not receive the correct return value, burnedScaledAmount. As a result, this leads to inconsistencies in the data passed between contracts, which could affect event emissions and data analytics downstream.

Vulnerability Details

Core issue:
The withdraw function in the ReserveLibrary.sol contract returns two amountUnderlying instead of amountWithdrawn and amountUnderlying, which need to be received by the withdrawn function in the LendingPool contract.

contracts/libraries/pools/ReserveLibrary.sol:

function withdraw(
ReserveData storage reserve,
ReserveRateData storage rateData,
uint256 amount,
address recipient
) internal returns (uint256 amountWithdrawn, uint256 amountScaled, uint256 amountUnderlying) {
amountWithdrawn = burnedScaledAmount;
return (
amountUnderlying, // @audit ❌ Incorrect: returning actual amount instead of standardized amount
burnedScaledAmount,
amountUnderlying
);

contracts/core/pools/LendingPool/LendingPool.sol:withdraw#L252

function withdraw(uint256 amount) external nonReentrant whenNotPaused onlyValidAmount(amount) {
...
@ audit The `withdraw` function in the `LendingPool` contract need to receive amountWithdrawn
(uint256 amountWithdrawn, uint256 amountScaled, uint256 amountUnderlying) = ReserveLibrary.withdraw(
reserve, // ReserveData storage
rateData, // ReserveRateData storage
amount, // Amount to withdraw
msg.sender // Recipient
);

Impact

  1. Data Inconsistency: The returned values from ReserveLibrary.withdraw are not aligned with their intended purpose. Specifically, the amountWithdrawn value is supposed to represent the standardized amount but is instead returning the actual underlying amount. This discrepancy can result in incorrect data being propagated throughout the contract, leading to data inconsistency.

  2. Incorrect Event Emission: In the LendingPool.sol contract, the withdraw function need to receive amountWithdrawn and emit the event Withdraw(msg.sender, amountWithdrawn), instead of the standardized amount (burnedScaledAmount).

Tools Useds

Manual code review

Recommendations

It is recommended to fix return values in the withdraw function of the LendingPool.sol contract to return the correct standardized amount for amountWithdrawn:

function withdraw(uint256 amount) external nonReentrant whenNotPaused onlyValidAmount(amount) {
...
return (
amountWithdrawn, // @audit Correctly return the standardized amount
burnedScaledAmount,
amountUnderlying
);
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

ReserveLibrary::withdraw returns amountUnderlying instead of amountWithdrawn, causing incorrect event emissions and potential calculation errors in LendingPool

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

ReserveLibrary::withdraw returns amountUnderlying instead of amountWithdrawn, causing incorrect event emissions and potential calculation errors in LendingPool

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!