Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Invalid balance comparison in RToken.burn() leads to incorrect withdrawals

freesultan

Summary

The RToken's burn() function incorrectly compares amount (in reserveAsset/crvUSD units) with userBalance (in RToken units), failing to account for the liquidity index scaling factor.

Vulnerability Details

In RToken's burn() function, there is a critical comparison issue between incompatible asset types. The function compares amount (in reserveAsset/crvUSD units) with userBalance (in RToken units) directly, which is incorrect because balanceOf() returns the RToken balance scaled by the current liquidity index.

function burn(...) {
...
// @>audit: userBalance is in RToken
uint256 userBalance = balanceOf(from);
// @>audit: incorrect comparison - different units!
if(amount > userBalance) { // amount is in crvUSD units
amount = userBalance; // assigning crvUSD amount = RToken balance
}
...
}

Impact

Unauthorized excess withdrawal of reserve assets
Breaking of asset-backing guarantees
Potential protocol insolvency

Tools Used

Manual Code Review

Recommendations

We need to convert to the same unit before comparison:

function burn(...) {
uint256 userBalance = balanceOf(from); // in RTokens
// Convert everything to underlying asset (crvUSD) units
uint256 maxWithdrawable = userBalance.rayDiv(index); // RTokens to crvUSD
if(amount > maxWithdrawable) {
amount = maxWithdrawable;
}
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

Wrong balance check in RToken::burn

It's underlying vs underlying

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.