Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

The outputs of the `DebtToken::mint` function don't align with the variables in the `LendingPool::_rapay` function

pianist

Vulnerability Details

The DebtToken::burn function returns the values amount,totalSupply(), amountScaled, and balanceIncrease sequentially.

return (amount, totalSupply(), amountScaled, balanceIncrease);

However, in the LendingPool::_Repay function, which calls DebtToken::burn, the outputs are stored in variables named amountScaled, newTotalSupply, amountBurned, and balanceIncrease.

(uint256 amountScaled, uint256 newTotalSupply, uint256 amountBurned, uint256 balanceIncrease) =
IDebtToken(reserve.reserveDebtTokenAddress).burn(onBehalfOf, amount, reserve.usageIndex);

As a result, the actual value of amount is stored in the variable amountScaled, while the actual value of amountScaled is stored in amountBurned.

This discrepancy ultimately leads to incorrect transfer here.

Impact

Incorrect transfer amount

Tools Used

Manual review

Recommendations

Sweep the amountScaled and amountBurned in the LendingPool::_repay function.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

DebtToken::burn returns items in the wrong order

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

DebtToken::burn returns items in the wrong order

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.