Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Interest Accrual Omission in RToken Mint Function Leading to Loss of User Funds

0x23r0

Summary

The RToken contract's mint function fails to account for accrued interest on a user's existing balance when processing new deposits. This omission results in users not receiving the interest they've earned between their last interaction and the new deposit, leading to a direct financial loss.

Vulnerability Details

The mint function in the RToken contract calculates the balanceIncrease (accrued interest) for a user's existing balance but does not add this amount to the newly minted tokens. The interest is calculated based on the difference between the current and previous liquidity indices. However, the code neglects to include this accrued interest in the amountToMint, causing the user's earned interest to remain undistributed.

if (_userState[onBehalfOf].index != 0 && _userState[onBehalfOf].index < index) {
balanceIncrease = scaledBalance.rayMul(index) - scaledBalance.rayMul(_userState[onBehalfOf].index);
}
_mint(onBehalfOf, amountToMint.toUint128()); // balanceIncrease not included in amountToMint

POC

  1. Initial Deposit:

    • Alice deposits 100 crvUSD when the liquidity index is 1.0 RAY.

    • She receives 100 RToken (scaled balance: 100 / 1.0 = 100).

  2. Interest Accrual:

    • Over time, the liquidity index increases to 1.05 RAY due to interest.

    • Alice's balance is now 100 * 1.05 = 105 crvUSD (but scaled balance remains 100).

  3. Second Deposit:

    • Alice deposits another 100 crvUSD.

    • The balanceIncrease is calculated as 100 * (1.05 - 1.0) = 5 crvUSD.

    • Expected Behavior: Alice's new deposit should be 100 + 5 = 105 crvUSD (scaled to 100 / 1.05 ≈ 95.238), totaling 100 + 95.238 = 195.238 scaled tokens. Her balance should be 195.238 * 1.05 ≈ 205 crvUSD.

    • Actual Behavior: The code mints only 100 crvUSD (scaled to 95.238), resulting in a scaled balance of 100 + 95.238 = 195.238. Her balance is 195.238 * 1.05 ≈ 205 crvUSD, but the 5 crvUSD interest from her initial deposit is not minted, leading to a discrepancy.

  4. Result:

    • Alice's accrued interest (5 crvUSD) is not minted as RToken, causing a loss of funds.

Impact

  • Loss of User Funds: Users lose the interest accrued on their existing deposits when making new transactions, violating the protocol's interest distribution mechanism.

Tools Used

Manual review

Recommendations

Modify the mint function to include the balanceIncrease in the amountToMint:

function mint(
address caller,
address onBehalfOf,
uint256 amountToMint,
uint256 index
) external override onlyReservePool returns (bool, uint256, uint256, uint256) {
if (amountToMint == 0) {
return (false, 0, 0, 0);
}
uint256 amountScaled = amountToMint.rayDiv(index);
if (amountScaled == 0) revert InvalidAmount();
uint256 scaledBalance = balanceOf(onBehalfOf);
bool isFirstMint = scaledBalance == 0;
uint256 balanceIncrease = 0;
if (_userState[onBehalfOf].index != 0 && _userState[onBehalfOf].index < index) {
balanceIncrease = scaledBalance.rayMul(index) - scaledBalance.rayMul(_userState[onBehalfOf].index);
}
_userState[onBehalfOf].index = index.toUint128();
+ amountToMint += balanceIncrease;
_mint(onBehalfOf, amountToMint.toUint128());
emit Mint(caller, onBehalfOf, amountToMint, index);
return (isFirstMint, amountToMint, totalSupply(), amountScaled);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

RToken::mint calculates balanceIncrease (interest accrued since last interaction) but never mints it, causing users to lose earned interest between deposits

The balanceIncrease is the interest that has already accrued on the user's existing scaledBalance since their last interaction. It's not something you mint as new tokens in the _mint function.

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

RToken::mint calculates balanceIncrease (interest accrued since last interaction) but never mints it, causing users to lose earned interest between deposits

The balanceIncrease is the interest that has already accrued on the user's existing scaledBalance since their last interaction. It's not something you mint as new tokens in the _mint function.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!