Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Index-Based Balance Adjustment Not Applied in function min() in Rtoken.sol contract

dystopiaxyz

Summary

The mint function contains an unused variable, balanceIncrease, which is calculated but never used in the final balance update. This oversight can lead to under-minting of tokens, particularly when interest accrual based on the liquidity index is expected.

Vulnerability Details

function mint(
address caller,
address onBehalfOf,
uint256 amountToMint,
uint256 index
) external override onlyReservePool returns (bool, uint256, uint256, uint256) {
if (amountToMint == 0) {
return (false, 0, 0, 0);
}
uint256 amountScaled = amountToMint.rayDiv(index);
if (amountScaled == 0) revert InvalidAmount();
uint256 scaledBalance = balanceOf(onBehalfOf);
bool isFirstMint = scaledBalance == 0;
uint256 balanceIncrease = 0;
if (_userState[onBehalfOf].index != 0 && _userState[onBehalfOf].index < index) {
>> balanceIncrease = scaledBalance.rayMul(index) - scaledBalance.rayMul(_userState[onBehalfOf].index); //@audit-info : [M-11] unused variable
}
_userState[onBehalfOf].index = index.toUint128();
>> _mint(onBehalfOf, amountToMint.toUint128());
emit Mint(caller, onBehalfOf, amountToMint, index);
return (isFirstMint, amountToMint, totalSupply(), amountScaled);
}

balanceIncrease Is Not Applied

  • The function correctly calculates balanceIncrease but never uses it when minting tokens.

  • The minting function _mint(onBehalfOf, amountToMint.toUint128()); ignores balanceIncrease, meaning:

    • Users receive only the newly minted amount (amountToMint).

    • They do not receive the balance increase due to interest accrual from the liquidity index change.

Impact

Under-Minting Tokens: Users do not receive the full adjusted balance after an index update.

Incorrect Interest Accrual: The protocol does not properly reflect changes in the liquidity index, leading to discrepancies in token balances.

Potential Loss of Funds: If this function is part of a lending or staking system, users lose out on accrued yield due to incorrect balance calculations.

Tools Used

Manual Review

Recommendations

Adjust scaledBalance Before Minting

Mint the Correct Total Amount

function mint(
address caller,
address onBehalfOf,
uint256 amountToMint,
uint256 index
) external override onlyReservePool returns (bool, uint256, uint256, uint256) {
if (amountToMint == 0) {
return (false, 0, 0, 0);
}
uint256 amountScaled = amountToMint.rayDiv(index);
if (amountScaled == 0) revert InvalidAmount();
uint256 scaledBalance = balanceOf(onBehalfOf);
bool isFirstMint = scaledBalance == 0;
uint256 balanceIncrease = 0;
if (_userState[onBehalfOf].index != 0 && _userState[onBehalfOf].index < index) {
balanceIncrease = scaledBalance.rayMul(index) - scaledBalance.rayMul(_userState[onBehalfOf].index); //unused variable
}
_userState[onBehalfOf].index = index.toUint128();
-- _mint(onBehalfOf, amountToMint.toUint128());
// Fix: Mint the correct amount including balanceIncrease
++ _mint(onBehalfOf, (amountScaled + balanceIncrease).toUint128());
emit Mint(caller, onBehalfOf, amountToMint, index);
return (isFirstMint, amountToMint, totalSupply(), amountScaled);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RToken::mint should mint the amountScaled not the amountToMint

RToken::mint calculates balanceIncrease (interest accrued since last interaction) but never mints it, causing users to lose earned interest between deposits

The balanceIncrease is the interest that has already accrued on the user's existing scaledBalance since their last interaction. It's not something you mint as new tokens in the _mint function.

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RToken::mint should mint the amountScaled not the amountToMint

RToken::mint calculates balanceIncrease (interest accrued since last interaction) but never mints it, causing users to lose earned interest between deposits

The balanceIncrease is the interest that has already accrued on the user's existing scaledBalance since their last interaction. It's not something you mint as new tokens in the _mint function.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!