Discrepancy in division in `RToken::transfer` and `RToken::transferFrom`
Summary
In RToken, for each transfer, the "real" value to be transfer will be calculated, however, there is a discrepancy on the divisor in transfer and transferFrom, which can be exploited to transfer more amount than intended.
Vulnerability Details
Here are the code of both transfer and transferFrom:
We see, scaledAmount is handled differently. In transfer, it divides by normalized income of the lending pool, while in transferFrom, it uses liquidity index. Which of the two variables may not necessarily equal. The logic behind transfer and transferFrom are quite similar, a normal user can also use transferFrom instead of transfer. For example, if normalized income is higher than liquidity index, an user can avoid transferring less by using transferFrom, and vice versa.
Moreover, to derive the "real" value of asset, it's correct to use normalized income, not liquidity index.
Impact
Incorrect usage of denominator in transferFrom can be exploited by users to pay more than originally intended so.
Tools Used
Manual review
Recommendations
Use normalized income as denominator in transferFrom
Lead Judging Commences
RToken::transfer uses getNormalizedIncome() while transferFrom uses _liquidityIndex, creating inconsistent transfer amounts depending on function used
RToken::transfer uses getNormalizedIncome() while transferFrom uses _liquidityIndex, creating inconsistent transfer amounts depending on function used
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.