Core Contracts

Summary

The RToken contract's burn mechanism prevents users from withdrawing their full balance including accrued interest. While the contract correctly calculates the interest-adjusted amount, it attempts to burn more tokens than the user has, causing the transaction to revert. Additionally, when a withdrawal succeeds, users only receive their original deposit amount, losing all accrued interest.

Vulnerability Details

In the burn() function, two critical issues occur:

1. It calculates the amountScaled but did not use it

1. If user tries to withdraw full balance (including interest), this amount will be greater than their rToken balance

Example scenario:

Initial State:

• User has 100 rTokens (index 1)

• Index has increased to 1.5 (50% interest accrued)

• User Balance = 150 ( 100 + 50 interest)
  Current Implementation:

1. Withdraw rToken balance ( 100 )

   • Burns 100 rTokens

   • Transfers 100 underlying tokens

   • No way to claim remaining interest since user burns all his rTokens

2. Withdraw userBalance ( 150 )

   • Burns 150 rTokens -> will revert since user only has 100 rTokens

Impact

Users cannot withdraw their accrued interest as attempts to withdraw the full entitled balance will revert due to insufficient rToken balance, and successful withdrawals only return the original deposit amount, resulting in permanent loss of earned interest.

Recommendations

Modify the burn mechanism to correctly calculate and burn the appropriate number of rTokens based on the requested underlying amount while ensuring the full interest-adjusted amount is transferred