Submission Details
Severity:
Incorrect calculation of balance increase during RToken minting
Summary
The balance increase is just used to keep track of the interest accrued by the user, but does not have impact on the actual balance:
uint256 amountScaled = amountToMint.rayDiv(index);
if (amountScaled == 0) revert InvalidAmount();
//@audit this should retrieve the scaled balance use scaledBalance function
uint256 scaledBalance = balanceOf(onBehalfOf);
bool isFirstMint = scaledBalance == 0;
uint256 balanceIncrease = 0;
if (
_userState[onBehalfOf].index != 0 &&
_userState[onBehalfOf].index < index
) {
balanceIncrease =
scaledBalance.rayMul(index) -
scaledBalance.rayMul(_userState[onBehalfOf].index);
}
The current calculation fails to retrieve the actual scaled balance and instead is retrieving the updated unscaled balance using the balanceOf function. It should instead use the function from the inherited contract.
Vulnerability Details
Impact
This will just affect the monitoring systems.
Tools Used
Manual review.
Recommendations
Retrieve the actual scaled balance.
Updates
Lead Judging Commences
inallhonesty 4 months ago
Submission Judgement Published Reason: Non-acceptable severity
Assigned finding tags:
RToken::mint incorrectly uses balanceOf instead of super.balanceOf for calculating balanceIncrease, causing double-scaling and inflated interest values in events
Informational
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.