Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing Validation in `LendingPool::transferAccruedDust` Allows Potential Fund Mismanagement

auditbyte

Summary

The transferAccruedDust function in LendingPool.sol is intended to allow the contract owner to transfer accrued dust (small remaining token balances) to a specified recipient. However, the function lacks validation checks on the amount being transferred, which could result in fund mismanagement or unintended behaviour.

Vulnerability Details

The function implementation is as below:

function transferAccruedDust(address recipient, uint256 amount) external onlyOwner {
// update state
ReserveLibrary.updateReserveState(reserve, rateData);
require(recipient != address(0), "LendingPool: Recipient cannot be zero address");
IRToken(reserve.reserveRTokenAddress).transferAccruedDust(recipient, amount);
}

The function does not check whether parameter amount exceeds the contract’s actual accrued dust balance. This could result in unexpected failures or transfers of nonexistent funds.

Impact

It can result to potential fund mismanagement if an invalid amount is passed.

Tools Used

Manual code review

Recommendations

Ensure amount does not exceed the contract’s actual accrued dust balance before making the transfer

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.