Incorrect obligations calculation on `claculateDustAmount()`
Vulnerability Details
At RToken::calculateDustAmount(), totalRealBalance calculation is wrong. This is because rayMul() is multiplied 2 times.
It should only be applied once.
Proof Of Concept
One of the
mulDiv()is applied in the very same function here.But the amount being multiplied comes from a
totalSupply()call, which also multiplied, here is the call. And here is the totalsupply logic that also multiplies.
Impact
Incorrect dust calculations. Accounting some dust as obligations to the lenders.
This is because if there is some dust amount, it is calculated from the total supply times the liquidity index, and this is multiplied twice, thus calculating more obligations than the real ones.
Then the obligations are substracted in the return value of the function here. And here you can see that calculate dust amounts function is used when transferring the dust out.
Recommendations
Only apply rayMul() once on the totalRealBalance calculation.
Lead Judging Commences
RToken::calculateDustAmount incorrectly applies liquidity index, severely under-reporting dust amounts and permanently trapping crvUSD in contract
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.