Core Contracts

Summary

A critical mathematical error was discovered in the calculateDustAmount() function of the RToken contract. The function incorrectly handles normalized income calculations by both dividing the actual balance and double-multiplying the total supply by the normalized income factor. This results in significant underestimation of dust amounts and potential permanent locking of funds in the contract.

Vulnerability Details

The calculateDustAmount() function contains two critical mathematical errors:

1. Incorrect Balance Normalization

The actual token balance is incorrectly divided by normalized income, artificially reducing the reported contract balance. The actual balance represents real tokens and should not be normalized.

2. Double Interest Application:

The normalized income is applied twice to the total supply calculation, exponentially inflating the reported total balance.

Impact

The vulnerability has severe implications for the protocol, due to underestimated contract balances and overestimated total supplies

1. Dust amounts will be reported as zero even when excess funds exist, permanently locking funds in the contract.

2. Preventing legitimate dust transfers and disrupting the protocol's interest distribution mechanism.

3. Over time, as normalized income increases with accrued interest, the magnitude of the calculation error grows exponentially, potentially affecting protocol solvency and user fund accessibility.

Tools Used

• Manual code review

Recommendations

• Remove the incorrect normalization of contract balance:

uint256 contractBalance = IERC20(_assetAddress).balanceOf(address(this));

• Remove the redundant normalized income multiplication:

uint256 totalRealBalance = totalSupply(); // Already includes normalized income