The RToken Mint Function Overestimates Interest Accrual, Allowing Users to Receive Excess Tokens
Summary
The rToken mint() function calculates accrued interest but does so incorrectly, overestimating the additional balance a user has earned. This could allow users to receive more tokens than they should, impacting the protocol’s token economy.
Vulnerability Details
The issue occurs in the following code:
https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/tokens/RToken.sol#L130-L132
The contract attempts to calculate the extra balance a user has gained due to interest. However, the subtraction method used here can overestimate the amount, leading to a situation where the user receives more tokens than they should.
The problem is that rayMul(index) applies a scaling factor that is meant for underlying asset calculations. However, using it in this context results in a miscalculated balance increase as scaledBalance returns the scaled balance of the user already calculated in the balanceOf function:
https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/tokens/RToken.sol#L194C5-L197C6
Impact
Users receive more tokens than they are supposed to.
Can lead to token supply inflation, affecting overall protocol balance.
Tools Used
Manuel code review
Recommendations
Use the already scaled balance to perform the balance increase calculations and do not multiply it by the index a second time.
Lead Judging Commences
RToken::mint should mint the amountScaled not the amountToMint
RToken::mint should mint the amountScaled not the amountToMint
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.