Incorrect Balance Update Due to Scaled Amount Mismatch in Stability Pool Deposits
Summary
The deposit function in the Stability Pool incorrectly updates user balances based on the requested amount instead of the actual transferred amount. Since rToken operates with scaled balances, the recorded deposit amount can differ from what is actually received.
Vulnerability Details
The function deposit uses:
However, rToken scales transfers internally:
This discrepancy means the user's recorded deposit might be inaccurate.
Impact
Users may have incorrect deposit balances, which can lead to miscalculations in rewards, withdrawals, or overall pool accounting.
Tools Used
Manual code review.
Recommendations
Use the actual transferred amount to update deposits:
uint256 beforeBalance = rToken.balanceOf(address(this));rToken.safeTransferFrom(msg.sender, address(this), amount);uint256 afterBalance = rToken.balanceOf(address(this));uint256 actualReceived = afterBalance - beforeBalance;userDeposits[msg.sender] += actualReceived;Ensure that reward calculations use the correct deposit amounts.
Lead Judging Commences
StabilityPool's userDeposits mapping doesn't update with DEToken transfers or interest accrual, and this combined with RToken transfers causes fund loss and permanent lockup
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.