Submission Details
Severity:
reserveLibrary withdraw function incorrecty sets callers address during burn
Author Revealed upon completion
Summary
reserveLibrary while calling the burn Rtoken burn function is supposed to set the first parameter which is the caller parameter as address.this but instead it sets the recipient address as both the caller and receiver address
Vulnerability Details
here is the section of the withdraw function in ReserveLibrary
```sol
(
uint256 burnedScaledAmount,
uint256 newTotalSupply,
uint256 amountUnderlying
) = IRToken(reserve.reserveRTokenAddress).burn(
recipient, // from from should be address.this
recipient, // receiverOfUnderlying
amount, // amount
reserve.liquidityIndex // index
);
amountWithdrawn = burnedScaledAmount;
Rtoken.burn function below which expects the from parameter to be the reserve Pool address
function burn(
address from, //should be the address of the caller
address receiverOfUnderlying,
uint256 amount,
uint256 index
) external override onlyReservePool returns (uint256, uint256, uint256) {
if (amount == 0) {
return (0, totalSupply(), 0);
}
uint256 userBalance = balanceOf(from);
_userState[from].index =
Impact
low
Tools Used
manual review
Recommendations
set the 1st parameter as address.this when calling the burn function in ReserveLibrary.withdraw
uint256 burnedScaledAmount,
uint256 newTotalSupply,
uint256 amountUnderlying
) = IRToken(reserve.reserveRTokenAddress).burn(
++ address.this, //caller
recipient, // receiverOfUnderlying
amount, // amount
reserve.liquidityIndex // index
);
amountWithdrawn = burnedScaledAmount;
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
View preliminary resultsAppeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.