Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Double Scaling Issue in `rToken` Contract Causing Incorrect Transfers and Balance Updates

xcrypt

Summary

The rToken contract has a flaw where token amounts are scaled twice during transfers and balance updates. Both the transfer and transferFrom functions adjust the amount using rayDiv with the normalized income (getNormalizedIncome). However, when the _update function processes the transaction, the same amount is scaled again. This results in an unintended reduction in token values, leading to incorrect balance updates and transfer amounts.

Vulnerability Details

  • Issue:
    The contract applies scaling twice—first in transfer and transferFrom, and then again in _update. This double application of rayDiv leads to an unintended decrease in transferred token amounts.

  • Affected Code:

    • Transfer Function:

      function transfer(address recipient, uint256 amount) public override(ERC20, IERC20) returns (bool) {
      uint256 scaledAmount = amount.rayDiv(ILendingPool(_reservePool).getNormalizedIncome());
      return super.transfer(recipient, scaledAmount);
      }

    • TransferFrom Function:

      function transferFrom(address sender, address recipient, uint256 amount) public override(ERC20, IERC20) returns (bool) {
      uint256 scaledAmount = amount.rayDiv(_liquidityIndex);
      return super.transferFrom(sender, recipient, scaledAmount);
      }

    • _update Function:

      function _update(address from, address to, uint256 amount) internal override {
      uint256 scaledAmount = amount.rayDiv(ILendingPool(_reservePool).getNormalizedIncome());
      super._update(from, to, scaledAmount);
      }

      If an initial amount of 1000e18 is processed with a scaling factor of 2e18, the first adjustment reduces it to 500e18. When _update applies another scaling, it drops further to 250e18, which is incorrect.

Impact

  • Reduced Transfer Amounts:
    Due to the unintended double scaling, recipients receive fewer tokens than they should.

  • Inaccurate Balances:
    Users’ token balances are updated incorrectly, leading to discrepancies in their holdings.

  • Potential Token Loss:
    The miscalculation can result in token amounts shrinking with each transaction, causing financial discrepancies.

Tools Used

  • Manual Code Review

Recommendations

  1. Prevent Double Scaling:
    Ensure that token amounts are adjusted only once by modifying the _update function to use the already scaled value.

  2. Fix the _update Function:
    Modify _update to prevent additional scaling:

    function _update(address from, address to, uint256 amount) internal override {
    super._update(from, to, amount); // Use the pre-scaled amount from transfer functions
    }
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RToken::transfer and transferFrom double-scale amounts by dividing in both external functions and _update, causing users to transfer significantly less than intended

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RToken::transfer and transferFrom double-scale amounts by dividing in both external functions and _update, causing users to transfer significantly less than intended

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!