Interest is deleted instead of accrued when supplying
Summary
Interest is deleted instead of accrued when supplying
Vulnerability Details
When RToken::mint() is called when a user supplies, we have the following code:
It calculates the interest accrued using the fresh and cached index, then we cache the fresh index. The issue is that balanceIncrease is not used anymore which means that the interest is essentially deleted, we simply update the index but don't accrue anything.
Impact
Suppliers will lose funds as they do not get interest they should
Tools Used
Manual Review
Recommendations
Use the balanceIncrease value to accrue them interest
Lead Judging Commences
RToken::mint calculates balanceIncrease (interest accrued since last interaction) but never mints it, causing users to lose earned interest between deposits
The balanceIncrease is the interest that has already accrued on the user's existing scaledBalance since their last interaction. It's not something you mint as new tokens in the _mint function.
RToken::mint calculates balanceIncrease (interest accrued since last interaction) but never mints it, causing users to lose earned interest between deposits
The balanceIncrease is the interest that has already accrued on the user's existing scaledBalance since their last interaction. It's not something you mint as new tokens in the _mint function.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.