Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Wrong updation of the totalLiquidity when a depositor withdraws his whole balance

vs_

Summary

Wrong updation of the totalLiquidity when a depositor withdraws his whole balance

Vulnerability Details

Following is withdraw function function

function withdraw(uint256 amount) external nonReentrant whenNotPaused onlyValidAmount(amount) {

if (withdrawalsPaused) revert WithdrawalsArePaused();

// Update the reserve state before the withdrawal

ReserveLibrary.updateReserveState(reserve, rateData);

// Ensure sufficient liquidity is available

_ensureLiquidity(amount);

// Perform the withdrawal through ReserveLibrary

(uint256 amountWithdrawn, uint256 amountScaled, uint256 amountUnderlying) = ReserveLibrary.withdraw(

reserve, // ReserveData storage

rateData, // ReserveRateData storage

amount, // Amount to withdraw

msg.sender // Recipient

);

// Rebalance liquidity after withdrawal

_rebalanceLiquidity();

emit Withdraw(msg.sender, amountWithdrawn);

}

function withdraw(

ReserveData storage reserve,

ReserveRateData storage rateData,

uint256 amount,

address recipient

) internal returns (uint256 amountWithdrawn, uint256 amountScaled, uint256 amountUnderlying) {

if (amount < 1) revert InvalidAmount();

// Update the reserve interests

updateReserveInterests(reserve, rateData);

// Burn RToken from the recipient - will send underlying asset to the recipient

(uint256 burnedScaledAmount, uint256 newTotalSupply, uint256 amountUnderlying) = IRToken(reserve.reserveRTokenAddress).burn(

recipient, // from

recipient, // receiverOfUnderlying

amount, // amount

reserve.liquidityIndex // index

);

amountWithdrawn = burnedScaledAmount;

// Update the total liquidity and interest rates

updateInterestRatesAndLiquidity(reserve, rateData, 0, amountUnderlying);

emit Withdraw(recipient, amountUnderlying, burnedScaledAmount);

return (amountUnderlying, burnedScaledAmount, amountUnderlying);

}

Now suppose user initially deposited 100 tokens therefore total liquidity was increased by 100 token

function deposit(ReserveData storage reserve,ReserveRateData storage rateData,uint256 amount,address depositor) internal returns (uint256 amountMinted) {

if (amount < 1) revert InvalidAmount();

// Update reserve interests

updateReserveInterests(reserve, rateData);

// Transfer asset from caller to the RToken contract

IERC20(reserve.reserveAssetAddress).safeTransferFrom(

msg.sender, // from

reserve.reserveRTokenAddress, // to

amount // amount

);

// Mint RToken to the depositor (scaling handled inside RToken)

(bool isFirstMint, uint256 amountScaled, uint256 newTotalSupply, uint256 amountUnderlying) = IRToken(reserve.reserveRTokenAddress).mint(

address(this), // caller

depositor, // onBehalfOf

amount, // amount

reserve.liquidityIndex // index

);

amountMinted = amountScaled;

// Update the total liquidity and interest rates

updateInterestRatesAndLiquidity(reserve, rateData, amount, 0);

emit Deposit(depositor, amount, amountMinted);

return amountMinted;

}

/**

if (liquidityAdded > 0) {

reserve.totalLiquidity = reserve.totalLiquidity + liquidityAdded.toUint128();

}

Now user wants to withdraw his token balance now as the liqudity index has increased his token balance would be greater than 100 tokens lets say 150 tokens so when he withdraws those tokens burn function will be called which is as follows

function burn(

address from,

address receiverOfUnderlying,

uint256 amount,

uint256 index

) external override onlyReservePool returns (uint256, uint256, uint256) {

if (amount == 0) {

return (0, totalSupply(), 0);

}

uint256 userBalance = balanceOf(from);

_userState[from].index = index.toUint128();

if(amount > userBalance){

amount = userBalance;

}

uint256 amountScaled = amount.rayMul(index);

_userState[from].index = index.toUint128();

_burn(from, amount.toUint128());

if (receiverOfUnderlying != address(this)) {

IERC20(_assetAddress).safeTransfer(receiverOfUnderlying, amount);

}

emit Burn(from, receiverOfUnderlying, amount, index);

return (amount, totalSupply(), amount);

}

Now lets see the withdraw function in reserve library

function withdraw(

ReserveData storage reserve,

ReserveRateData storage rateData,

uint256 amount,

address recipient

) internal returns (uint256 amountWithdrawn, uint256 amountScaled, uint256 amountUnderlying) {

if (amount < 1) revert InvalidAmount();

// Update the reserve interests

updateReserveInterests(reserve, rateData);

// Burn RToken from the recipient - will send underlying asset to the recipient

(uint256 burnedScaledAmount, uint256 newTotalSupply, uint256 amountUnderlying) = IRToken(reserve.reserveRTokenAddress).burn(

recipient, // from

recipient, // receiverOfUnderlying

amount, // amount

reserve.liquidityIndex // index

);

amountWithdrawn = burnedScaledAmount;

// Update the total liquidity and interest rates

updateInterestRatesAndLiquidity(reserve, rateData, 0, amountUnderlying);

emit Withdraw(recipient, amountUnderlying, burnedScaledAmount);

return (amountUnderlying, burnedScaledAmount, amountUnderlying);

}

As we can see it updates the interest rates and liquidty index by reducing the total liquidity by the amount underlying which will be eqaul to 150 tokens and thus reducing the total liquidty by incorrect amount.

function updateInterestRatesAndLiquidity(ReserveData storage reserve,ReserveRateData storage rateData,uint256 liquidityAdded,uint256 liquidityTaken) internal {

// Update total liquidity

if (liquidityAdded > 0) {

reserve.totalLiquidity = reserve.totalLiquidity + liquidityAdded.toUint128();

}

if (liquidityTaken > 0) {

if (reserve.totalLiquidity < liquidityTaken) revert InsufficientLiquidity();

reserve.totalLiquidity = reserve.totalLiquidity - liquidityTaken.toUint128();

}

uint256 totalLiquidity = reserve.totalLiquidity;

uint256 totalDebt = reserve.totalUsage;

uint256 computedDebt = getNormalizedDebt(reserve, rateData);

uint256 computedLiquidity = getNormalizedIncome(reserve, rateData);

// Calculate utilization rate

uint256 utilizationRate = calculateUtilizationRate(reserve.totalLiquidity, reserve.totalUsage);

// Update current usage rate (borrow rate)

rateData.currentUsageRate = calculateBorrowRate(

rateData.primeRate,

rateData.baseRate,

rateData.optimalRate,

rateData.maxRate,

rateData.optimalUtilizationRate,

utilizationRate

);

// Update current liquidity rate

rateData.currentLiquidityRate = calculateLiquidityRate(

utilizationRate,

rateData.currentUsageRate,

rateData.protocolFeeRate,

totalDebt

);

// Update the reserve interests

updateReserveInterests(reserve, rateData);

emit InterestRatesUpdated(rateData.currentLiquidityRate, rateData.currentUsageRate);

}

Impact

Incorrect reduction of total liquidity leads to wrong utilization rate and causes issues

Tools Used

manual review

Recommendations

Only reduce the amount which was initially added to the total liquidity

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!