Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View all submissions
Previous Next
Submission Details
Severity: medium
Valid

Incorrect Dust Amount Calculation Due to Unnecessary Balance Scaling

Author Revealed upon completion

Summary

In the RToken.sol contract, the calculateDustAmount function incorrectly scales the contract's underlying asset balance by dividing it by the normalized income, leading to an underreported dust amount.

Vulnerability Details

The issue occurs in the calculateDustAmount function:

function calculateDustAmount() public view returns (uint256) {
// Incorrect: Balance doesn't need to be divided by normalized income
uint256 contractBalance = IERC20(_assetAddress).balanceOf(address(this))
.rayDiv(ILendingPool(_reservePool).getNormalizedIncome());
uint256 currentTotalSupply = totalSupply();
uint256 totalRealBalance = currentTotalSupply.rayMul(ILendingPool(_reservePool).getNormalizedIncome());
return contractBalance <= totalRealBalance ? 0 : contractBalance - totalRealBalance;
}

The function incorrectly scales down the contract's actual balance by dividing it by the normalized income. The underlying asset balance represents real tokens and should not be scaled, as it's already in the correct denomination.

This impacts functions that rely on dust calculation:

  • transferAccruedDust

Impact

The impact is High because it causes the dust amount to be incorrectly reported as lower than actual

Tools Used

  • Manual code review

Recommendations

Remove the scaling operation from the contractBalance calculation in calculateDustAmount()

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 days ago
Submission Judgement Published
Validated
Assigned finding tags:

RToken::calculateDustAmount incorrectly applies liquidity index, severely under-reporting dust amounts and permanently trapping crvUSD in contract

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.