Balance of underlying is treated as balance of RToken when calculating dust, leading to loss of revenue
Vulnerability Details
At RToken::calculateDustAmount(), contractBalance calculation is wrong. You do not have to divide by any index because you are checking for the _assetAddress address balance, which is the udnerlying token, not the RToken. See here the wrong usage on the function.
See here to confirm that _assetAddress is actually the underlying asset and not the interest bearing one.
Impact
Incorrect dust calculations. Accounting for less balance that you actually have, missing on some dust amounts from compounding debt.
Notice that amounts can be dust, but this depends on how much debt there is, it can increase and will increase over time until at some point not be dust anymore.
Then contractBalance variable is used in the return value like so, here. And here you can see that calculate dust amounts function is used when transferring the dust out.
As contractBalance is being subtracted from, the less balance the less you receive. So you are missing on dust. Also if the miscalculated amount differs enough a 0 will be returned, being able to claim no "dust" at all.
Recommendation
Do not apply the interest index, as you are reading from the underlying token.
Lead Judging Commences
RToken::calculateDustAmount incorrectly applies liquidity index, severely under-reporting dust amounts and permanently trapping crvUSD in contract
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.