Core Contracts

01. Relevant GitHub Line

• /LendingPool.sol#L33

02. Summary

In the RToken contract, the value of each scaled amount grows over time due to the interest accrual mechanism. If a user grants an approval at an early stage, the approved value effectively becomes larger as the index increases. This can cause unintentional over-approval of assets and potentially expose users to losses they did not anticipate.

03. Vulnerability Details

The RToken’s balanceOf function multiplies super.balanceOf(account) by ILendingPool(_reservePool).getNormalizedIncome(), causing the balance to scale upward over time. Consequently, an approve set at the beginning (when the scaled value is smaller) becomes more valuable later as the index increases.

Therefore, if someone approves a certain amount early on, the actual value of that approval grows as the market evolves.

An additional (but separate) issue is that the current approve function does not convert the requested amount into a scaled amount, potentially causing users to approve more assets than intended. This separate issue is not covered in this report.

04. Impact

• Users might unknowingly grant approvals that increase in real value over time, leading to unanticipated asset expenditures.

• This discrepancy can create a risk of losing more funds than originally intended if a third party utilizes the approved tokens later, after their value has increased.

05. Tools Used

Manual Code Review and Foundry

06. Recommended Mitigation

• Implement time-limited approvals, ensuring the approval amount is valid only for a specified period. This prevents indefinite growth of the approval’s real value over time.

• Store approval amounts in terms of the underlying token’s value rather than scaled amounts. Then, when transferFrom is called, dynamically scale the transfer amount using the current liquidity index. This approach ensures the approval amount always reflects its actual value.