`RToken::transferFrom()` always transfers wrong amounts
Vulnerability Details
On RToken::transferFrom() a wrong amount will always be transferred. As the amount argument is applied twice a rayDiv() with the liquidity index.
When transfering the first div happens here.
And the second happens in _update(), here.
This is because transferFrom() calls eventually call _transfer() which eventually calls _update(). See OZ ERC20 implementation of transferFrom() here that calls update here.
Impact
RToken::transferFrom() results always in the receiver receiving less amount.
Recommendations
Only apply the rayDiv() once, remove the division here. The _update() div one will now be the only one.
For reference you can see AAVE aToken::ScaledBalanceToken code, they only apply it once, here. Right before the common ERC20 logic call.
Lead Judging Commences
RToken::transfer and transferFrom double-scale amounts by dividing in both external functions and _update, causing users to transfer significantly less than intended
RToken::transfer and transferFrom double-scale amounts by dividing in both external functions and _update, causing users to transfer significantly less than intended
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.