Summary

The deposit function in the provided smart contract incorrectly handles the return values from the mint function. Specifically, the mint function returns (isFirstMint, amountToMint, totalSupply(), amountScaled), but the deposit function assumes the return values are (isFirstMint, amountScaled, newTotalSupply, amountUnderlying). This mismatch in return value handling can lead to incorrect calculations of minted amounts, liquidity updates, and financial inconsistencies in the protocol.

Vulnerability Details

The mint function returns the following values:

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/tokens/RToken.sol#L140

1. isFirstMint: A boolean indicating whether this is the first mint for the user.

2. amountToMint: The actual amount of RTokens minted.

3. totalSupply(): The total supply of RTokens after minting.

4. amountScaled: The scaled amount of RTokens based on the index.

However, the deposit function incorrectly interprets these return values as:

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/libraries/pools/ReserveLibrary.sol#L337

1. isFirstMint: Correctly interpreted.

2. amountScaled: Incorrectly interpreted as the second return value (should be amountToMint).

3. newTotalSupply: Incorrectly interpreted as the third return value (should be totalSupply()).

4. amountUnderlying: Incorrectly interpreted as the fourth return value (should be amountScaled).

Impact

Incorrect Event emission.

Recommendations

Correct Return Value Handling: Update the deposit function to correctly interpret the return values from the mint function.