`RToken::transfer` & `RToken::transferFrom` have incosistent calculations over transferred amounts, leading to different amounts transferred according to the call.
Summary
The RToken contract uses a calculation logic based on Aave's aToken index-based system. To do it, they override three critical functions:
transfer()transferFrom()_update()
Vulnerability Details
On transfer() function they use the rayDivfunction over the input amount and the normalizedIncome from the LendingPool. On transferFrom() they use the rayDiv function over the input amountand the _liquidityIndex. This inconsistency puts the protocol in an inconsistent state because they are different indexes and reflect different scenarios.
[transferFrom]()
Impact
Values that should be consistent through both functions will have different values according to the normalizedIncode and _liquidityIndex variation. E.g: if user A calls `transfer` user B will receive 1e18. If user B calls transferFrom to get the tokens from user A, he can receive 1e17 or 1e19, according to the variation between indexes. The difference can be way bigger due to protocol usage.
Tools Used
Code Review
Recommendations
Standardize the calculations using only the index that fits better the protocol design.
Lead Judging Commences
RToken::transfer uses getNormalizedIncome() while transferFrom uses _liquidityIndex, creating inconsistent transfer amounts depending on function used
RToken::transfer uses getNormalizedIncome() while transferFrom uses _liquidityIndex, creating inconsistent transfer amounts depending on function used
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.