Core Contracts

Summary

The RToken contract has inconsistent scaling parameters between transfer and transferFrom functions, and lacks proper scaling in approve function. This can lead to incorrect transfer amounts and broken approve/transferFrom functionality.

Vulnerability Details

1. In the transfer function, amounts are scaled using getNormalizedIncome():

   function transfer(address recipient, uint256 amount) public override(ERC20, IERC20) returns (bool) {

   uint256 scaledAmount = amount.rayDiv(ILendingPool(_reservePool).getNormalizedIncome());

   return super.transfer(recipient, scaledAmount);

   }

2. However, in transferFrom, amounts are scaled using _liquidityIndex, which is NEVER updated :

   function transferFrom(address sender, address recipient, uint256 amount) public override(ERC20, IERC20) returns (bool) {

   uint256 scaledAmount = amount.rayDiv(_liquidityIndex);

   return super.transferFrom(sender, recipient, scaledAmount);

   }

3. The approve function inherits from ERC20 without any scaling, which means approved amounts won't match the scaled amounts needed for transferFrom

Impact

1. Transfers using transfer vs transferFrom will result in different amounts being moved due to different scaling factors

2. Approvals won't work correctly with transferFrom since the approved amount isn't scaled but transferFrom expects scaled amounts

3. This could lead to failed transfers and broken token functionality in DeFi integrations

Tools Used

• Manual code review

Recommendations

Use consistent scaling across all transfer functions