Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Incorrect transfer amount in the `RToken.transfer()` function

kupiasec

Summary

The RToken.transfer() function computes the transfer amount scaledAmount using the liquidity index from the LendingPool. However, the liquidity index may be stale and not updated, leading to an incorrect transfer amount.

Vulnerability Details

The RToken.transfer() function calculates the transfer amount scaledAmount using ILendingPool(_reservePool).getNormalizedIncome().

function transfer(address recipient, uint256 amount) public override(ERC20, IERC20) returns (bool) {
213 uint256 scaledAmount = amount.rayDiv(ILendingPool(_reservePool).getNormalizedIncome());
return super.transfer(recipient, scaledAmount);
}

However, the LendingPool.getNormalizedIncome() function merely returns reserve.liquidityIndex without updating it. Consequently, this return value may not accurately reflect the current liquidity index, resulting in an incorrect transfer amount.

function getNormalizedIncome() external view returns (uint256) {
return reserve.liquidityIndex;
}

Impact

The transfer amount may be incorrect.

Tools Used

Manual review

Recommendations

Ensure that the reserve state of the LendingPool is updated before executing a transfer.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::getNormalizedIncome() and getNormalizedDebt() returns stale data without updating state first, causing RToken calculations to use outdated values

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!