The calculateDustAmount Function Overestimates Total Obligations thus Making Excess Funds Appear Nonexistent
Summary
The calculateDustAmount function in RToken.sol applies the liquidity index twice, making the protocol’s total obligations appear larger than they actually are.
Vulnerability Details
The problematic line:
https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/tokens/RToken.sol#L325
Since currentTotalSupply returns totalSupply which is already in a scaled form, multiplying by getNormalizedIncome() scales it again, inflating the obligation amount.
https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/tokens/RToken.sol#L203-L205
Impact
This miscalculation makes dust funds appear nonexistent, as totalRealBalance will always be greater than contractBalance. As a result, the function will always return 0, meaning no excess funds will ever be recognized. This leads to unclaimed tokens being left in the contract indefinitely.
Tools Used
Manual code review
Recommendations
Ensure that currentTotalSupply is only scaled once by checking its original form.
Lead Judging Commences
RToken::calculateDustAmount incorrectly applies liquidity index, severely under-reporting dust amounts and permanently trapping crvUSD in contract
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.