Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Incorrect logic in `RToken::calculateDustAmount`

robertodf99

Summary

The dust amount is the difference between the underlying tokens deposited by the borrowers in the reserve from repaid loans minus the liqudiity + accrued interests from lenders. The code currently fails to properly calculate this difference:

function calculateDustAmount() public view returns (uint256) {
// Calculate the actual balance of the underlying asset held by this contract
//@audit use unscaled balance
uint256 contractBalance = IERC20(_assetAddress)
.balanceOf(address(this))
.rayDiv(ILendingPool(_reservePool).getNormalizedIncome());
// Calculate the total real obligations to the token holders
uint256 currentTotalSupply = totalSupply();
// Calculate the total real balance equivalent to the total supply
uint256 totalRealBalance = currentTotalSupply.rayMul(
ILendingPool(_reservePool).getNormalizedIncome()
);
// All balance, that is not tied to rToken are dust (can be donated or is the rest of exponential vs linear)
return
contractBalance <= totalRealBalance
? 0
: contractBalance - totalRealBalance;
}

Where currentTotalSupply is already scaled and totalRealBalance is scaling the supply again and the contract balance shouldn't be divided by the liquidity index since it reflects an actual balance of the underlying asset (it doesn't accrue interest).

Vulnerability Details

Impact

Tools Used

Manual review.

Recommendations

Do not scale contract balance and use currentTotalSupply instead of totalRealBalance.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RToken::calculateDustAmount incorrectly applies liquidity index, severely under-reporting dust amounts and permanently trapping crvUSD in contract

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.