Core Contracts

Summary

The burn function of the RToken contract returns (amount, totalSupply(), amount), but it should return (amountScaled, totalSupply(), amount) to correctly reflect the scaled value in the first return parameter. This discrepancy can lead to miscalculations in liquidity and interest rate adjustments within the withdraw function of the ReserveLibrary.

Vulnerability Details

In the burn function of the RToken contract:

The first return value is expected to be the scaled amount, which is calculated using:

However, the function incorrectly returns amount instead of amountScaled.

This incorrect return value propagates to withdraw in ReserveLibrary:

Here, burnedScaledAmount is assigned the first return value of burn, which is incorrect because it should represent the scaled value of amount.

This mistake leads to inconsistencies when updating total liquidity and interest rates, as these calculations depend on scaled values. As a result, the system may miscalculate available liquidity, interest accruals, and borrowing rates, potentially leading to incorrect fund distributions and imbalances in the lending pool.

Impact

• Incorrect liquidity tracking: The lending pool may not correctly account for the liquidity being withdrawn, leading to inaccurate liquidity calculations.

• Incorrect interest rate adjustments: Since scaled values are used for interest rate calculations, the mistake can cause improper rate updates, affecting both lenders and borrowers.

• Potential fund misallocations: If future computations rely on the incorrect burnedScaledAmount, users withdrawing funds may receive incorrect amounts.

Tools Used

Manual code review

Recommendations

Modify the return statement in burn to return amountScaled in the first position: