RToken Burn Function Uses Unscaled Amount Leading to Excessive Token Burns
Summary
The RToken contract's burn function uses the unscaled amount instead of the scaled amount when burning tokens, resulting in an incorrect number of tokens being burned and potential loss of user funds.
Vulnerability Details
The function calculates a scaled amount but ignores it, instead burning the raw amount. This means the number of RTokens burned doesn't account for the accumulated interest represented by the index.
Example:
User wants to burn equivalent of 100 underlying Tokens
Current index: 2.0 RAY
Should burn: 50 RTokens for 100 underlying tokens
Actually burns: 100 RTokens for 100 underlying tokens
Impact
HIGH - Users losing RTokens. This vulnerability results in:
Users losing more RTokens than they should when burning
Misalignment between RToken supply and underlying asset reserve
Tools Used
Recommendations
Use the scaled amount in the burn operation.
Lead Judging Commences
RToken::burn incorrectly burns amount (asset units) instead of amountScaled (token units), breaking token economics and interest-accrual mechanism
RToken::burn incorrectly burns amount (asset units) instead of amountScaled (token units), breaking token economics and interest-accrual mechanism
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.