Core Contracts

Summary

The rToken contract contains an issue where token amounts are incorrectly scaled twice during transfers and updates. In the transfer and transferFrom functions, the token amount is scaled by rayDiv with the normalized income (getNormalizedIncome). However, when the _update function is called, the same amount is scaled again. This results in the token amount being reduced more than expected, which leads to the incorrect transfer and update of token balances.

Vulnerability Details

• Issue:
  The token amount is being scaled twice — once in the transfer and transferFrom functions and again in the _update function. This double scaling reduces the token amount more than intended.

• Affected Code:

  • Transfer Function:

    function transfer(address recipient, uint256 amount) public override(ERC20, IERC20) returns (bool) {

    uint256 scaledAmount = amount.rayDiv(ILendingPool(_reservePool).getNormalizedIncome());

    return super.transfer(recipient, scaledAmount);

    }

  • TransferFrom Function:

    function transferFrom(address sender, address recipient, uint256 amount) public override(ERC20, IERC20) returns (bool) {

    uint256 scaledAmount = amount.rayDiv(_liquidityIndex);

    return super.transferFrom(sender, recipient, scaledAmount);

    }

  • _update Function:

    function _update(address from, address to, uint256 amount) internal override {

    uint256 scaledAmount = amount.rayDiv(ILendingPool(_reservePool).getNormalizedIncome());

    super._update(from, to, scaledAmount);

    }

    In this example, if the original amount is 1000e18 and the scaling factor is 2e18, after the first scaling (in transfer or transferFrom), the amount becomes 500e18. However, when _update is called, the same amount is scaled again, reducing it to 250e18, which is incorrect.

Impact

• Incorrect Token Amounts:
  The double scaling results in the transfer amount and token balances being reduced more than intended. This leads to users receiving or transferring fewer tokens than expected.

• Balance Inconsistencies:
  Since the amount is scaled twice, users' balances could be incorrectly updated, leading to discrepancies in the amount of tokens they hold and causing potential errors when interacting with the contract.

• Potential Loss of Tokens:
  If the double scaling is not corrected, it could cause users to lose tokens during transfers or other operations that involve the _update function.

Tools Used

** Manual Code Review**

Recommendations

1. Avoid Double Scaling:
   Ensure that the token amount is scaled only once, either in the transfer or transferFrom function, but not both. The scaling in the _update function should use the correctly scaled value rather than scaling it again.