Rtoken transfer fails to transfer all the tokens
Summary
transfer function divides amount twice by normalizedIncome, so less than expected tokens amount will be transfered.
Vulnerability Details
Amount to transfer is multiplied firstly in transfer function and later ERC20 calls _update to move the tokens, and it is multiplied there again.
User deposit 100 tokens at index 1.0
Index goes to 1.1, user has 110 tokens, but his scaled amount is equal to 100
user transfer 110 Rtokens
line 4: transfer function divides amount (110) by 1.1 which gives 100 ( this is his scaled amount )
line 5: super.transfer calls _update
line 12: Scaled 100 is divided again by 1.1 which gives 90.9090909090909 in scaled amount
90.9090909090909 in scaled amount is equal to 100 after multiplying by index.
So even though user wanted to transfer 110 tokens, he was able to transfer only 100.
Recipient gets 100 RTokens
User stays with his 10 RTokens
Impact
User is not able to transfer all his tokens. Even after multiple tries there will be some dust.
Tools Used
Manual Review
Recommendations
transfer function should not divide amount by normalized index. Only _update should do it
Lead Judging Commences
RToken::transfer and transferFrom double-scale amounts by dividing in both external functions and _update, causing users to transfer significantly less than intended
RToken::transfer and transferFrom double-scale amounts by dividing in both external functions and _update, causing users to transfer significantly less than intended
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.