Submission Details
Severity:
Incorrect parameters returned during RToken burning
Summary
The natspec specifies the following return tuple:
* @return A tuple containing:
* - uint256: The amount of scaled tokens burned
* - uint256: The new total supply after burning
* - uint256: The amount of underlying asset transferred
The code returns the following:
return (amount, totalSupply(), amount); //@audit return scaled amount in the first parameter
Vulnerability Details
Impact
The Withdraw event emitted will return the raw withdrawn amount instead of the scaled one.
Tools Used
Manual review.
Recommendations
Return the scaled amount in the first parameter.
Updates
Lead Judging Commences
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
RToken::burn returns incorrect underlying asset amount (amount instead of amountScaled), leading to wrong interest rate calculations
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
RToken::burn returns incorrect underlying asset amount (amount instead of amountScaled), leading to wrong interest rate calculations
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.