Submission Details
Severity:
transfer from in RToken contract uses stale liquidity index to calculate the scaled amount.
Summary
transfer from uses stale liquidity index to calculate the scaled amount because that index never gets updated.
Vulnerability Details
Following is transfer from function in the rtoken contract.
function transferFrom(address sender, address recipient, uint256 amount) public override(ERC20, IERC20) returns (bool) {
uint256 scaledAmount = amount.rayDiv(_liquidityIndex);
return super.transferFrom(sender, recipient, scaledAmount);
}
As can be seen that it uses _liquidityIndex instead of ILendingPool(_reservePool).getNormalizedIncome()
_Liquidity index never gets updated in the codebase therefore it always remains 1e27.
Impact
Scaled amount is incorrectly calculated.
Tools Used
Recommendations
Use ILendingPool(_reservePool).getNormalizedIncome() instead just like how transfer function uses it.
function transfer(address recipient, uint256 amount) public override(ERC20, IERC20) returns (bool) {
uint256 scaledAmount = amount.rayDiv(ILendingPool(_reservePool).getNormalizedIncome());
return super.transfer(recipient, scaledAmount);
}
Updates
Lead Judging Commences
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
RToken::transfer uses getNormalizedIncome() while transferFrom uses _liquidityIndex, creating inconsistent transfer amounts depending on function used
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
RToken::transfer uses getNormalizedIncome() while transferFrom uses _liquidityIndex, creating inconsistent transfer amounts depending on function used
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.