Core Contracts

Summary

Alice deposits a certain amount and receives RToken based on the liquidity index. When she tries to transfer all her RToken to another account, the transfer function scales the amount down due to the liquidity index calculation. This results in a lower amount being moved than expected. When attempting to transfer the remaining balance, the scaling effect happens again, preventing her from transferring the full amount. As a result, she is unable to transfer all her RToken to another account due to repeated scaling reductions.

Vulnerability Details

a. Let’s assume, currently liquidityIndex = 1.2e27. Alice deposits 100e18 amounts and (100e18*1e27)/1.2e27 = 88.3e18 amount of RToken is minted to alice.

B. now alice wants to transfer all 88.3e18 to a different account by calling the function transfer where scaledAmount = (88.3e18*1e27)1.2e27 = 73.5e18. This calls super.transfer with 73.5e18 amounts which calls function _update where scaledAmount = (73.5e18*1e27)/1.2e27 = 61.25e18. Now 61.25e18 amount is transferred from alice to the different account. Alice wants to transfer 88.3e18 amounts but Alice can’t transfer all amounts.

C. now alice wants to transfer left 88.3e18 - 61.2e18 = 27e18 amount but this time also cannot transfer the full 27e18 rtoken amount because 27e18 will be scaled down/dived two times by 1.2e27.

**D. as a result, a user can’t transfer his/her all rtoken amounts to different account. **

Impact

All RToken amounts can’t be transferred by function transfer in the RToken contract.

Tools Used

manual review

Recommendations

make sure All RToken amounts can be transferred by function transfer in the RToken contract.