Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Burn functionality within RToken uses the incorrect amount

escrow

Summary

The burn function within the RToken.sol contract is responsible for burning the RToken's from a user and transferring the underlying asset in return. We calculate the user's balance via balanceOf, as well as updating the index for their independant user state in order to conclude an accurate calculation. Additionally, we scale the amount in respect of the index via RAAC's rayMul.

Vulnerability Details

The burn functionality uses the amount which is used as input for the burn function in order to send the relative amount of the _assetAddress, and also uses the incorrect amount regarding the actual _burn execution process. Prior to this, we initialise the variable amountScaled to successfully account for the scaling of amount in respect of the updated index used. However, this correct variable is not used.

function burn(address from, address receiverOfUnderlying, uint256 amount, uint256 index)

...

uint256 amountScaled = amount.rayMul(index); //correct

...

_burn(from, amount.toUint128()); //incorrect

if (receiverOfUnderlying != address(this)) {

IERC20(_assetAddress).safeTransfer(receiverOfUnderlying, amount); //incorrect

}

Additionally, we invoke the wrong amount's when executing the return at the end of the call.

Impact

The burning functionality presents inaccurate accounting for the from user, and therefore burns the incorrect amount of tokens in respect of the index as intended.

Tools Used

Manual review

Recommendations

Utilise the correct variable which is responsible for the amount scaled, e.g. amountScaled and not directly the amount that is being passed into the function.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

RToken::burn transfers original deposit amount (amount) to users instead of amount plus interest (amountScaled), causing loss of all accrued interest on withdrawals

RToken::burn incorrectly burns amount (asset units) instead of amountScaled (token units), breaking token economics and interest-accrual mechanism

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

RToken::burn transfers original deposit amount (amount) to users instead of amount plus interest (amountScaled), causing loss of all accrued interest on withdrawals

RToken::burn incorrectly burns amount (asset units) instead of amountScaled (token units), breaking token economics and interest-accrual mechanism

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!