Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

RescueToken function in the RToken contract cannot be executed

damilolaedwards

Target

contracts/core/tokens/RToken.sol

Vulnerability Details

The RToken contract implements a rescueToken function to rescue tokens (that are’t the underlying asset) sent directly to the contract. This function can only be called by the reservePool i.e lending pool contract, however the LendingPool contract does not contain any logic to execute the rescueToken function on the RToken contract making the function useless.

function rescueToken(address tokenAddress, address recipient, uint256 amount) external onlyReservePool {
if (recipient == address(0)) revert InvalidAddress();
if (tokenAddress == _assetAddress) revert CannotRescueMainAsset();
IERC20(tokenAddress).safeTransfer(recipient, amount);
}

RToken.rescueToken

N.B : the LendingPool contract implements it’s own rescueToken function which can only be used to rescue tokens from its own contract.

Impact

Since the rescueToken logic was added to the RToken contract, it means the team expects possible direct token transfers to the RToken contract, but since the function isn’t callable these tokens will be lost

Tools Used

Manual Review

Recommendations

Add logic to the Lending Pool contract that can allow the invocation of the rescueToken function on the RToken contract

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RToken::rescueToken() can never be called

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!