Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Wrong Returned Values In DebtToken

ChainDefenders

Summary

In the DebtToken.sol contract the mint and burn functions return incorrect values, which can lead to problems during computing values in the ReserveLibrary.

Vulnerability Details

The vulnerabilities arise from the mint and burn functions in the DebtToken.sol contract. These functions return incorrect values, which can lead to issues when computing values in the ReserveLibrary.

Vulnerability 1: Incorrect Return Value in mint Function

The mint function returns amountToMint instead of amountScaled. This leads to incorrect calculations in the ReserveLibrary, as the scaled amount is necessary for accurate computations.

Vulnerability 2: Incorrect Return Value in burn Function

The burn function returns amount instead of amountScaled and amountScaled instead of amount. Similar to the mint function, this leads to incorrect calculations in the ReserveLibrary, as the scaled amount is necessary for accurate computations.

Impact

By returning incorrect values, the protocol performs inaccurate calculations in the ReserveLibrary, leading to financial discrepancies. Users may receive incorrect amounts of DebtTokens, undermining the integrity and reliability of the protocol. This can result in financial losses for users and the protocol, as well as a loss of trust in the system.

Tools Used

Manual Review

Recommendations

To mitigate these vulnerabilities, update the mint and burn functions to return the correct values. Here is an example of how to implement this:

Corrected mint Function

function mint(
address user,
address onBehalfOf,
uint256 amount,
uint256 index
) external override onlyReservePool returns (bool, uint256, uint256) {
if (user == address(0) || onBehalfOf == address(0)) revert InvalidAddress();
if (amount == 0) {
return (false, 0, totalSupply());
}
uint256 amountScaled = amount.rayDiv(index);
if (amountScaled == 0) revert InvalidAmount();
uint256 scaledBalance = balanceOf(onBehalfOf);
bool isFirstMint = scaledBalance == 0;
uint256 balanceIncrease = 0;
if (_userState[onBehalfOf].index != 0 && _userState[onBehalfOf].index < index) {
balanceIncrease = scaledBalance.rayMul(index) - scaledBalance.rayMul(_userState[onBehalfOf].index);
}
_userState[onBehalfOf].index = index.toUint128();
uint256 amountToMint = amount + balanceIncrease;
_mint(onBehalfOf, amountToMint.toUint128());
emit Transfer(address(0), onBehalfOf, amountToMint);
emit Mint(user, onBehalfOf, amountToMint, balanceIncrease, index);
return (scaledBalance == 0, amountScaled, totalSupply());
}

Corrected burn Function

function burn(
address from,
uint256 amount,
uint256 index
) external override onlyReservePool returns (uint256, uint256, uint256, uint256) {
if (from == address(0)) revert InvalidAddress();
if (amount == 0) {
return (0, totalSupply(), 0, 0);
}
uint256 userBalance = balanceOf(from);
uint256 balanceIncrease = 0;
if (_userState[from].index != 0 && _userState[from].index < index) {
uint256 borrowIndex = ILendingPool(_reservePool).getNormalizedDebt();
balanceIncrease = userBalance.rayMul(borrowIndex) - userBalance.rayMul(_userState[from].index);
amount = amount;
}
_userState[from].index = index.toUint128();
if(amount > userBalance){
amount = userBalance;
}
uint256 amountScaled = amount.rayDiv(index);
if (amountScaled == 0) revert InvalidAmount();
_burn(from, amount.toUint128());
emit Burn(from, amountScaled, index);
return (amountScaled, totalSupply(), amount, balanceIncrease);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

LendingPool functions incorrectly assign DebtToken::burn return values, swapping amountScaled and amountBurned, causing wrong token transfers and debt accounting

This is confusing naming but functionally correct. The variable names are misleading, but that's not a vulnerability.

DebtToken::mint incorrectly mints amountToMint (unscaled) instead of amountScaled (scaled), deviating from Aave's pattern and causing incorrect debt tracking

Just a variable naming issue

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

LendingPool functions incorrectly assign DebtToken::burn return values, swapping amountScaled and amountBurned, causing wrong token transfers and debt accounting

This is confusing naming but functionally correct. The variable names are misleading, but that's not a vulnerability.

DebtToken::mint incorrectly mints amountToMint (unscaled) instead of amountScaled (scaled), deviating from Aave's pattern and causing incorrect debt tracking

Just a variable naming issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.