Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Wrong Returned Values In RToken

ChainDefenders

Summary

In the RToken.sol contract the mint and burn functions return incorrect values, which can lead to problems during computing values in the ReserveLibrary.

Vulnerability Details

The vulnerabilities arise from the mint and burn functions in the RToken.sol contract. These functions return incorrect values, which can lead to issues when computing values in the ReserveLibrary.

Vulnerability 1: Incorrect Return Value in mint Function

The mint function returns amountToMint instead of amountScaled. This leads to incorrect calculations in the ReserveLibrary, as the scaled amount is necessary for accurate computations.

Vulnerability 2: Incorrect Return Value in burn Function

The burn function returns amount instead of amountScaled. Similar to the mint function, this leads to incorrect calculations in the ReserveLibrary, as the scaled amount is necessary for accurate computations.

Impact

By returning incorrect values, the protocol performs inaccurate calculations in the ReserveLibrary, leading to financial discrepancies. Users may receive incorrect amounts of RTokens or underlying assets, undermining the integrity and reliability of the protocol. This can result in financial losses for users and the protocol, as well as a loss of trust in the system.

Tools Used

Manual Review

Recommendations

To mitigate these vulnerabilities, update the mint and burn functions to return the correct values. Here is an example of how to implement this:

Corrected mint Function

function mint(
address caller,
address onBehalfOf,
uint256 amountToMint,
uint256 index
) external override onlyReservePool returns (bool, uint256, uint256, uint256) {
if (amountToMint == 0) {
return (false, 0, 0, 0);
}
uint256 amountScaled = amountToMint.rayDiv(index);
if (amountScaled == 0) revert InvalidAmount();
uint256 scaledBalance = balanceOf(onBehalfOf);
bool isFirstMint = scaledBalance == 0;
uint256 balanceIncrease = 0;
if (_userState[onBehalfOf].index != 0 && _userState[onBehalfOf].index < index) {
balanceIncrease = scaledBalance.rayMul(index) - scaledBalance.rayMul(_userState[onBehalfOf].index);
}
_userState[onBehalfOf].index = index.toUint128();
_mint(onBehalfOf, amountToMint.toUint128());
emit Mint(caller, onBehalfOf, amountToMint, index);
// Return the correct values
return (isFirstMint, amountScaled, totalSupply(), amountToMint);
}

Corrected burn Function

function burn(
address from,
address receiverOfUnderlying,
uint256 amount,
uint256 index
) external override onlyReservePool returns (uint256, uint256, uint256) {
if (amount == 0) {
return (0, totalSupply(), 0);
}
uint256 userBalance = balanceOf(from);
_userState[from].index = index.toUint128();
if(amount > userBalance){
amount = userBalance;
}
uint256 amountScaled = amount.rayMul(index);
_userState[from].index = index.toUint128();
_burn(from, amount.toUint128());
if (receiverOfUnderlying != address(this)) {
IERC20(_assetAddress).safeTransfer(receiverOfUnderlying, amount);
}
emit Burn(from, receiverOfUnderlying, amount, index);
// Return the correct values
return (amountScaled, totalSupply(), amount);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RToken::burn returns incorrect underlying asset amount (amount instead of amountScaled), leading to wrong interest rate calculations

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RToken::burn returns incorrect underlying asset amount (amount instead of amountScaled), leading to wrong interest rate calculations

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.