Wrong index used in transferFrom in RTOKEN
Vulnerability Details
The RToken::transferFrom() uses _liquidityIndex. Here.
This is not correct as it is not the current index in the lending pool.
In fact it is meant to be updated through the RToken::updateLiquidityIndex() function. But this function has a onlyReservePool modifier, which is the LendingPool yet this pool has 0 calls to this function. See here.
Just parse the LendingPool code, here , there is no call.
Thus the _liquidityIndex will never be updated and remain as the 1 RAY set at construction time. Here.
Impact
Transfer from will always transfer more amounts than he should due to using a different index than the LendingPool one.
It is more than it should because you use the index dividing, and 1 RAY will always be smaller than the ever growing index of lending pool.
Recommendations
Fetch index from lending pool and update the lending pool index before fetching it.
Lead Judging Commences
RToken::updateLiquidityIndex() has onlyReservePool modifier but LendingPool never calls it, causing transferFrom() to use stale liquidity index values
RToken::transfer uses getNormalizedIncome() while transferFrom uses _liquidityIndex, creating inconsistent transfer amounts depending on function used
RToken::updateLiquidityIndex() has onlyReservePool modifier but LendingPool never calls it, causing transferFrom() to use stale liquidity index values
RToken::transfer uses getNormalizedIncome() while transferFrom uses _liquidityIndex, creating inconsistent transfer amounts depending on function used
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.