Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Loss of Funds Due to Unchecked uint128 Casting in RToken

foufrix

Summary

RToken unnecessarily casts transfer amounts to uint128, causing silent fund loss when amounts exceed uint128.max.

Vulnerability Details

If user deposit more than type(uint128).max (340282366920938463463374607431768211455) the value will overflow and he will loose amount - uint128.max
The transformation to uint128 is useless as _mint() can be called with uint256

Impact

If a user holds a large portion of tokens and decide to deposit it into the protocol, amount - uint128.max will be locked forever in RToken as it will not mint enough RToken to retrieve the crvUSD token deposited.

Tools Used

Recommendations

Do not cast the value into uint128 as it's useless.

function mint(
address caller,
address onBehalfOf,
uint256 amountToMint,
uint256 index
) external override onlyReservePool returns (bool, uint256, uint256, uint256) {
if (amountToMint == 0) {
return (false, 0, 0, 0);
}
uint256 amountScaled = amountToMint.rayDiv(index);
if (amountScaled == 0) revert InvalidAmount();
uint256 scaledBalance = balanceOf(onBehalfOf);
bool isFirstMint = scaledBalance == 0;
uint256 balanceIncrease = 0;
if (_userState[onBehalfOf].index != 0 && _userState[onBehalfOf].index < index) {
balanceIncrease = scaledBalance.rayMul(index) - scaledBalance.rayMul(_userState[onBehalfOf].index);
}
_userState[onBehalfOf].index = index.toUint128();
- _mint(onBehalfOf, amountToMint.toUint128());
+ _mint(onBehalfOf, amountToMint);
emit Mint(caller, onBehalfOf, amountToMint, index);
return (isFirstMint, amountToMint, totalSupply(), amountScaled);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.