Core Contracts

Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Submission Details
Severity: high
Valid

`_liquidityIndex` is used in Rtoken transferFrom and transfer are double divided

Summary

The issue arises because the transfer and transferFrom functions in the contract first divide the amount by the liquidity index before passing it to the underlying _update function. However, the _update function also performs a division by the normalized income. This results in a double division of the amount, leading to incorrect token transfers.

Vulnerability Details

The current implementation of the transfer and transferFrom functions scales the amount by dividing it by the liquidity index (_liquidityIndex) before calling the super.transfer or super.transferFrom functions. The _update function, which is called internally by these functions, further scales the amount by dividing it by the normalized income. This double division results in an incorrect final amount being transferred.

For example:

  1. A user attempts to transfer amount = X.

  2. The transfer function divides X by _liquidityIndex, resulting in scaledAmount = X / _liquidityIndex.

  3. The _update function divides scaledAmount by the normalized income, resulting in finalAmount = (X / _liquidityIndex) / normalizedIncome.

  4. This double division leads to a significantly smaller amount being transferred than intended.

Impact

The double division of the amount results in incorrect token transfers. Users will receive or send a much smaller amount of tokens than expected, leading to financial inconsistencies and potential loss of funds.

Tools Used

Manual review

Recommendations

To resolve this issue, remove the scaling logic from the transfer and transferFrom functions, as the scaling is already handled by the _update function. This ensures that the amount is only scaled once, avoiding the double division problem.

Make the following changes:

function transfer(address recipient, uint256 amount) public override(ERC20, IERC20) returns (bool) {
- uint256 scaledAmount = amount.rayDiv(_liquidityIndex);
- return super.transfer(recipient, scaledAmount);
+ return super.transfer(recipient, amount);
}
function transferFrom(address sender, address recipient, uint256 amount) public override(ERC20, IERC20) returns (bool) {
- uint256 scaledAmount = amount.rayDiv(_liquidityIndex);
- return super.transferFrom(sender, recipient, scaledAmount);
+ return super.transferFrom(sender, recipient, amount);
}

This change ensures that the amount is only scaled once in the _update function, preventing the double division issue and ensuring accurate token transfers.

Also the logic with _liquidityIndex is totally wrong and it should be removed.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

RToken::transfer and transferFrom double-scale amounts by dividing in both external functions and _update, causing users to transfer significantly less than intended

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

RToken::transfer and transferFrom double-scale amounts by dividing in both external functions and _update, causing users to transfer significantly less than intended

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.