Core Contracts

Summary

as per documents of the protocol, interest paid by borrowers is bigger than interest received by depositors . So there will be dust amounts in the RToken contract.those dust amounts can be transferred from the RToken contract by Reserve Pool. but as the dust amount calculation is incorrect(which is explained in vulnerability details), so dust amounts will be stuck in the RToken contract.

Vulnerability Details

1. Let’s assume , total crvUSD deposited by depositors = 1000e18, total crvUSD borrowed by borrowers is also = 1000e18(without interest ). Currently liquidityIndex = 1.2e27(as liquidityIndex is calculated using linear interest), usageIndex = 1.3e27(as borrowIndex is calculated using compounded interest).

2. after that, all borrowed amount i.e (1000e18*1.3e27)/1e27 = 1300e18(with interest ) is repaid by borrowers.

**3. now depositors will withdraw (1000e18*1.2e27)/1e27 = 1200e18(with interest ) **

4. Interest paid by borrowers = 300e18 and interest received by depositors = 200e18. So the dust amount is 300e18 - 200e18 = 100e18.

5. so currently total crvUSD balance in RToken is (1000e18*1.3e27)/1e27 = 1300e18(with interest ), total supply of RToken is (1000e18*1.2e27)/1e27 = 1200e18.

**6. now function transferAccruedDust(RToken) is called by Reserve Pool which calls function calculateDustAmount where contractBalance = (1300e18*1e27)/1.3e27 = 1000e18 , currentTotalSupply = (1000e18*1.2e27)/1e27 = 1200e18, totalRealBalance = (currentTotalSupply*1.2e27)/1e27 = (1200e18*1.2e27)/1e27 = 1440e18. As contractBalance

Impact

as the dust amount calculation is incorrect, so dust amounts will be stuck in the RToken contract.

Tools Used

manual review

Recommendations

calculate properly dust amount calculation.