Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Incorrect Calculation and Return Values in `burn` Function

oxelmiguel

Summary

The burn function of the RToken contract contains two critical bugs:

  1. Incorrect Calculation of amountScaled: The function calculates amountScaled using amount.rayMul(index) instead of amount.rayDiv(index), as specified in the function's comment.

  2. Incorrect Return Values: The function emits and returns (amount, totalSupply(), amount) instead of (amountScaled, totalSupply(), amount), as described in the comment.

These discrepancies lead to incorrect token burning, improper accounting, and potential inconsistencies in the token supply and user balances.

Vulnerability Details

  • Function: burn

  • Issues:

    1. Incorrect Calculation of amountScaled:
      https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/tokens/RToken.sol#L172

      • Code Location:

        uint256 amountScaled = amount.rayMul(index); // Incorrect calculation

      • Expected Behavior:
        The amountScaled should be calculated as amount.rayDiv(index) to convert the underlying asset amount into the scaled token amount.

      • Actual Behavior:
        The function uses amount.rayMul(index), which results in an inflated amountScaled value. This leads to burning more tokens than intended.

    2. Incorrect Return Values:
      https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/tokens/RToken.sol#L184

      • Code Location:

        return (amount, totalSupply(), amount); // Incorrect return values

      • Expected Behavior:
        The function should return (amountScaled, totalSupply(), amount) as specified in the comment.

      • Actual Behavior:
        The function returns (amount, totalSupply(), amount), which does not align with the intended behavior and can cause confusion or errors in downstream processes.

  • Root Cause:

    • The logic for converting the underlying asset amount to the scaled token amount was incorrectly implemented, using multiplication instead of division.

    • The return values were not updated to reflect the correct values, leading to inconsistencies between the function's behavior and its documentation.

Impact

Misleading Data:

  • The incorrect return values can mislead external systems or interfaces that rely on the function's output, potentially causing further issues in the ecosystem.

Mitigation

To fix these issues, the following changes should be implemented:

  1. Correct Calculation of amountScaled:
    Update the calculation to use amount.rayDiv(index):

    uint256 amountScaled = amount.rayDiv(index); // Correct calculation

  2. Correct Return Values:
    Update the return statement to emit and return (amountScaled, totalSupply(), amount):

    return (amountScaled, totalSupply(), amount); // Correct return values
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

RToken::burn returns incorrect underlying asset amount (amount instead of amountScaled), leading to wrong interest rate calculations

RToken::burn incorrectly calculates amountScaled using rayMul instead of rayDiv, causing incorrect token burn amounts and breaking the interest accrual mechanism

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

RToken::burn returns incorrect underlying asset amount (amount instead of amountScaled), leading to wrong interest rate calculations

RToken::burn incorrectly calculates amountScaled using rayMul instead of rayDiv, causing incorrect token burn amounts and breaking the interest accrual mechanism

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.