StabilityPool.calculateRcrvUSDAmount() calculates incorrectly RTokens to return
Summary
StabilityPool.calculateRcrvUSDAmount() calculates incorrectly RTokens to return
Vulnerability Details
StabilityPool.calculateRcrvUSDAmount() expects to return the amount of RTokens that will received for a given amount of redeemed deTokens. However, the calculation is wrong because of the way decimals of each tokens are counted.
Imagine rTokenDecimals = 8 and deTokenDecimals = 10; deToken amount to redeem = 1e10.
scalingFactor = 10^(18 + 8 - 10) = 10^16 = 1e16. Returned amount is 1e10 * 1e18 / 1e16, which equals 1e12 RTokens. This is clearly wrong as 1e10 tokens of a token with 10 decimals should equal 1e8 tokens of a token with 8 decimals, the expected value should be 1e8, which is obtained if we do 1e10 * 1e16 / 1e18.
Impact
The returned amount of RTokens when calling withdraw will be incorrect, the higher difference between both tokens' decimals the higher the error. Both contract or caller will get many more tokens than expected and the other of the two many less tokens.
Tools Used
Manual review
Recommendations
Update the function so that calculations is correctly done:
Lead Judging Commences
Incorrect scaling factor formula in StabilityPool::calculateRcrvUSDAmount function
Both tokens have 18 decimals. Info
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.