Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

burn() in RToken contains extraneous and redundant code

nadir_khan_sec

Summary

The burn() function in the RToken contract contains two issues related to scaling and state updates:

  1. The user’s stored liquidity index (_userState[from].index) is redundantly set twice within the function.

  2. The variable amountScaled is calculated by multiplying the (unscaled) burn amount by the liquidity index via rayMul(index), even though the user's balance is already scaled. This results in a double scaling effect. Furthermore, the computed amountScaled is never used in the subsequent logic, making the calculation both unused and dangerous if it were relied upon in future updates.

Vulnerability Details

function burn(
address from,
address receiverOfUnderlying,
uint256 amount,
uint256 index
) external override onlyReservePool returns (uint256, uint256, uint256) {
if (amount == 0) {
return (0, totalSupply(), 0);
}
uint256 userBalance = balanceOf(from); //@audit-issue scaling userBalance ONCE...
_userState[from].index = index.toUint128();
if(amount > userBalance){
amount = userBalance;
}
uint256 amountScaled = amount.rayMul(index); //@audit if amount > userBalance than userBalance is scaled AGAIN. WRONG.
_userState[from].index = index.toUint128();//@audit being set twice!! see Line 172
_burn(from, amount.toUint128());
if (receiverOfUnderlying != address(this)) {
IERC20(_assetAddress).safeTransfer(receiverOfUnderlying, amount);
}
emit Burn(from, receiverOfUnderlying, amount, index);
return (amount, totalSupply(), amount);
}

Impact

  • Code Readability & Maintainability:
    The redundant assignment of _userState[from].index may confuse future maintainers, who might assume that each assignment serves a distinct purpose.

  • Risk of Incorrect Behavior:
    The amountScaled calculation is performed incorrectly by scaling an already scaled balance (if the underlying logic follows a similar pattern as in the mint function). Although amountScaled is not used later in the function, any future modifications or refactoring that assume its correctness might inadvertently lead to excessive burning (or minting) of tokens, potentially causing a Denial of Service (DoS) attack.

Tools Used

Manual review

Recommendations

  • Remove the Redundant Index Update:
    Only set _userState[from].index once at the appropriate point in the function.

  • Review and Correct the Scaling Calculation:

    • Revisit the intended design: determine whether the burn amount should be scaled by the liquidity index or if the user's balance is already scaled.

    • Remove the extraneous multiplication (i.e., avoid using amount.rayMul(index) if the amount is already scaled), or perform the calculation on an unscaled value and store the result in a separate variable if necessary.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RToken::burn incorrectly calculates amountScaled using rayMul instead of rayDiv, causing incorrect token burn amounts and breaking the interest accrual mechanism

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RToken::burn incorrectly calculates amountScaled using rayMul instead of rayDiv, causing incorrect token burn amounts and breaking the interest accrual mechanism

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.