Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Incorrect amount to mint in RToken::mint causes protocol insolvency and fund loss

freesultan

Summary

The RToken contract's mint() function incorrectly mints the non-scaled amountToMint instead of the amountScaled amount.

Vulnerability Details

The RToken contract's mint() function incorrectly mints the non-scaled amountToMint instead of the amountScaled amount. When users deposit assets, they receive more RTokens than they should based on the current liquidity index, creating a mismatch between protocol assets and RToken supply.

// RToken.sol
function mint(...) {
uint256 amountScaled = amountToMint.rayDiv(index);
_mint(onBehalfOf, amountToMint.toUint128()); // @> Should mint amountScaled
return (isFirstMint, amountToMint, totalSupply(), amountScaled);
}

Impact

  • Users can withdraw more assets than they deposited

  • Protocol becomes insolvent as RToken supply exceeds asset reserves

  • Early depositors can drain protocol's assets

Tools Used

manual code review

Recommendations

Fix the mint function to use the scaled amount

function mint(...) returns (bool, uint256, uint256, uint256) {
// ...
uint256 amountScaled = amountToMint.rayDiv(index);
_mint(onBehalfOf, amountScaled); // Mint scaled amount
// ...
return (isFirstMint, amountScaled, totalSupply(), amountToMint);
// Return amountScaled as second parameter
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RToken::mint should mint the amountScaled not the amountToMint

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RToken::mint should mint the amountScaled not the amountToMint

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.