`rTokens` get double scaled when being transferred
Summary
rTokens get double scaled when being transferred, which may lead to bad and inaccurate transfers
Vulnerability Details
As seen in the RToken::transfer function the amount is denominated in underling units, then it is scaled to match the corresponding amount of RToken and
then the ERC20:transfer function is called:
The problem here is that the ERC20::transfer function calls the ERC20::_update and in this moment in the codebase, the _update function is overriden to scale the amount again as seen here:
This means that the transferred amount gets double scaled, which will lead to many inaccurate transfers over time
Impact
Because of this improper amounts of tokens will be transferred when LendingPool::getNormalizedIncome is different than 1 Ray, which will happen 100% of the time after the first deposit. This can mainly be exploited in the StabilityPool, since in the StabilityPool::withdraw function, rTokens are directly transferred to the user
Tools Used
Manual Review
Recommendations
Don't scale the amount in the RToken::transfer function. Instead just leave this for the _update function
Lead Judging Commences
RToken::transfer and transferFrom double-scale amounts by dividing in both external functions and _update, causing users to transfer significantly less than intended
RToken::transfer and transferFrom double-scale amounts by dividing in both external functions and _update, causing users to transfer significantly less than intended
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.