Core Contracts

Description

The burn function in RToken.sol incorrectly returns the unscaled amount instead of the scaled amount. This function is critically used in two core protocol operations:

• Debt Repayment (_repay function):

• Liquidation Finalization (finalizeLiquidation function):

The vulnerability exists in the burn implementation:

The issue occurs because the index, which represents accumulated interest, is not factored into the returned amount. This affects both regular repayments and liquidations, making the protocol collect insufficient funds in both critical operations. Since the index naturally grows above RAY (1e27) as interest accumulates, this is a guaranteed issue in production.

Impact

The vulnerability has severe financial implications:

1. Direct Protocol Losses:

   • At 5% APY after 1 year:

     Debt Repayment: 100,000 USDC

     Should Collect: 105,000 USDC

     Actually Collects: 100,000 USDC

     Loss: 5,000 USDC (5% loss per transaction)

   • Losses increase with time as the index grows

   • Every repayment and liquidation is affected

2. Systemic Protocol Risks:

   • Protocol becomes increasingly undercollateralized

   • Interest rate calculations use incorrect amounts

   • Liquidation mechanisms collect insufficient collateral

   • Bad debt accumulates over time

3. Timeline of Impact:

   • 1 week: ~0.1% loss per transaction

   • 1 month: ~0.4% loss per transaction

   • 6 months: ~2.5% loss per transaction

   • 1 year: ~5% loss per transaction

4. Affected Parties:

   • Protocol: Loses value on every repayment

   • Depositors: Risk of insufficient collateral backing their deposits

   • Liquidators: Receive incorrect incentives

   • Overall protocol solvency is compromised

Recommended Mitigation

Immediate Fix

Modify the return statement in RToken.sol's burn function to return the scaled amount: