Submission Details
Severity:
The `balanceIncrease` should be calculated and minted for the user before the burning process in the `RToken::burn` function
Summary
Currently, the balanceIncrease variable is not accounted for, unlike in the RToken::mint function.
Vulnerability Details
The reserve.liquidityIndex is updating during time, and the balanceIncrease variable represents the additional amount that should be minted for the user due to the changes in reserve.liquidityIndex. However, the RToken::burn function does not take this into account.
Impact
This oversight can lead to incorrect calculations.
Tools Used
Manual review.
Recommendations
function burn(
address from,
address receiverOfUnderlying,
uint256 amount,
uint256 index
) external override onlyReservePool returns (uint256, uint256, uint256) {
if (amount == 0) {
return (0, totalSupply(), 0);
}
+ uint256 oldUserBalance = balanceOf(from);
+ uint256 balanceIncrease = 0;
+ if (_userState[onBehalfOf].index != 0 && _userState[onBehalfOf].index < index) {
+ balanceIncrease = oldUserBalance.rayMul(index) - oldUserBalance.rayMul(_userState[onBehalfOf].index);
+ }
+ _mint(onBehalfOf, balanceIncrease.toUint128());
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Reason: Non-acceptable severity
Assigned finding tags:
RToken::burn doesn't handle interest accrual via balanceIncrease calculation, leading to loss of all earned interest during withdrawals
inallhonesty 7 months ago
Submission Judgement Published Reason: Non-acceptable severity
Assigned finding tags:
RToken::burn doesn't handle interest accrual via balanceIncrease calculation, leading to loss of all earned interest during withdrawals
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.