Submission Details
Severity:
Incorrect parameters return order during RToken minting
Summary
Currently the functions returns the variables in the following order:
return (isFirstMint, amountToMint, totalSupply(), amountScaled); //@audit swap places amountToMint and amountScaled
The natspec specifies the following oder:
* @return A tuple containing:
* - bool: True if this is the first mint for the recipient, false otherwise
* - uint256: The amount of scaled tokens minted
* - uint256: The new total supply after minting
* - uint256: The amount of underlying tokens minted
Vulnerability Details
Impact
The Deposit event in the lending pool will emit the underlying tokens minted instead of the scaled amount.
Tools Used
Manual review.
Recommendations
Swap the order to match what is specified in the comments.
Updates
Lead Judging Commences
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
RToken::mint doesn't return data in the right order, making the protocol emit wrong events
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
RToken::mint doesn't return data in the right order, making the protocol emit wrong events
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.