Redundant Scaling in Transfer Functions of RToken Contract
Summary
The _update and transfer functions both scale the amount using rayDiv with the normalizedIncome, but it seems redundant to apply this scaling in both places.
Vulnerability Details
https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/tokens/RToken.sol#L213
https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/tokens/RToken.sol#L309
In the RToken contract the _update and trasnfer functions apply scaling to the transfer amounts using rayDiv with normalizedIncome.
The issue:
Both functions are scaling the amount by the same factor,
rayDiv(ILendingPool(_reservePool).getNormalizedIncome()).The
_updatefunction is already called internally by thetransferfunction viasuper.transfer(). Iftransferalso applies the scaling, this leads to a redundant operation, potentially doubling the scaling effect and resulting in incorrect token transfers.
Impact
Redundant scaling could lead to unintended transfer amounts being sent, affecting token balances and disrupting protocol logic.
Tools Used
Manual review
Recommendations
To avoid redundant scaling, ensure that only one of the functions (either _update or transfer) applies the scaling logic.
Lead Judging Commences
RToken::transfer and transferFrom double-scale amounts by dividing in both external functions and _update, causing users to transfer significantly less than intended
RToken::transfer and transferFrom double-scale amounts by dividing in both external functions and _update, causing users to transfer significantly less than intended
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.