Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Incorrect Values Returned in ReserveLibrary `withdraw` Function

Fortis Audits

Summary

The withdraw function in the ReserveLibrary returns incorrect values, specifically for the amountWithdrawn, amountScaled, and amountUnderlying parameters. This can inconsistent state and incorrect data being used by the calling contract (LendingPool in this case).

Vulnerability Details

The withdraw function calculates and uses different amounts for internal operations, but the returned values do not accurately reflect these amounts. Specifically:

  1. amountWithdrawn: This should represent the actual amount of underlying asset withdrawn by the user.

  2. amountScaled: This should be the scaled amount of RTokens burned. However, the current implementation returns an intermediate amount.

  3. amountUnderlying: This should represent the actual burned amount of RTokens in underlying asset units.

function withdraw(
ReserveData storage reserve,
ReserveRateData storage rateData,
uint256 amount,
address to
) internal returns (uint256, uint256, uint256) {
// ... other code ...
uint256 amountScaled = amount.rayDiv(reserve.liquidityIndex); // Scaled amount
uint256 amountUnderlying = amountScaled.rayMul(reserve.liquidityIndex);
// ... other code ...
// INCORRECT return values
return (amountUnderlying, burnedScaledAmount, amountUnderlying); // Should be (amountWithdrawn, amountScaled, amountUnderlying)
}

Impact

  • Inaccurate Data Reporting: The incorrect return values can lead to confusion and incorrect data being used by the LendingPool contract when processing withdrawals.

  • Potential for Errors in LendingPool: The LendingPool contract relies on the return values of the withdraw function. If these values are incorrect, it could lead to errors in the LendingPool's logic, potentially affecting user balances or the protocol's overall state.

Recommended Mitigation

  1. Correct Return Values: Change the withdraw function to return the correct values:

function withdraw(
ReserveData storage reserve,
ReserveRateData storage rateData,
uint256 amount,
address to
) internal returns (uint256, uint256, uint256) {
// ... other code ...
uint256 amountScaled = amount.rayDiv(reserve.liquidityIndex); // Scaled amount
uint256 amountUnderlying = amountScaled.rayMul(reserve.liquidityIndex);
// ... other code ...
- return (amountUnderlying, burnedScaledAmount, amount); // Incorrect return values
+ return (amountWithdrawn, burnedScaledAmount, amountUnderlying); // Correct return values
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

ReserveLibrary::withdraw returns amountUnderlying instead of amountWithdrawn, causing incorrect event emissions and potential calculation errors in LendingPool

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

ReserveLibrary::withdraw returns amountUnderlying instead of amountWithdrawn, causing incorrect event emissions and potential calculation errors in LendingPool

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!