The protocol aims to maintain the stability and value of RToken through various mechanisms, including the ability to mint and burn tokens. The RToken contract in RToken.sol defines the core functionality of RToken, including the melt() function, which allows the furnace contract to burn a specified amount of RTokens from the caller's account balance.
However, The function lacks check to ensure that the caller has a sufficient balance to perform the melting operation. This oversight allows a caller to burn more RTokens than they actually own, leading to an incorrect reduction in the total supply and an inconsistent state of the system.
Impact
An attacker can exploit this vulnerability to burn more RTokens than they possess, effectively manipulating their own balance and the total supply of RTokens in the system.
By allowing the burning of non-existent tokens, the melt() function can cause discrepancies between the actual token balances and the expected balances based on the melting operations. This inconsistency can lead to further issues in the protocol's accounting and functionality.
The issue violates the expected behavior and invariants of the melting operation, which should only allow the burning of tokens that the caller actually owns. This violation can undermine the trust and reliability of the Reserve Protocol.
Proof of Concept
Alice interacts with the Reserve Protocol and owns 100 RTokens.
Alice calls the melt() function, attempting to burn 150 RTokens, which exceeds her actual balance of 100 RTokens.
Due to the lack of a balance check in the melt() function, the operation succeeds, and 150 RTokens are burned from Alice's account.
As a result, Alice's balance becomes -50 RTokens, and the total supply of RTokens in the system is incorrectly reduced by 150 instead of 100.
As evident from the code, there is no check to ensure that the caller's balance (balanceOf(caller)) is greater than or equal to the amtRToken being melted.
Tools Used
Manual review
Recommended Mitigation Steps
Add a balance check in the melt() function to ensure that the caller has a sufficient balance to perform the melting operation.
Lines of code
https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/p1/RToken.sol#L370-L375
Vulnerability details
The protocol aims to maintain the stability and value of RToken through various mechanisms, including the ability to mint and burn tokens. The RToken contract in RToken.sol defines the core functionality of RToken, including the
melt()
function, which allows the furnace contract to burn a specified amount of RTokens from the caller's account balance.However, The function lacks check to ensure that the caller has a sufficient balance to perform the melting operation. This oversight allows a caller to burn more RTokens than they actually own, leading to an incorrect reduction in the total supply and an inconsistent state of the system.
Impact
An attacker can exploit this vulnerability to burn more RTokens than they possess, effectively manipulating their own balance and the total supply of RTokens in the system.
By allowing the burning of non-existent tokens, the
melt()
function can cause discrepancies between the actual token balances and the expected balances based on the melting operations. This inconsistency can lead to further issues in the protocol's accounting and functionality.The issue violates the expected behavior and invariants of the melting operation, which should only allow the burning of tokens that the caller actually owns. This violation can undermine the trust and reliability of the Reserve Protocol.
Proof of Concept
melt()
function, attempting to burn 150 RTokens, which exceeds her actual balance of 100 RTokens.melt()
function, the operation succeeds, and 150 RTokens are burned from Alice's account.RToken.sol:370-375 shows the vulnerable
melt()
functionAs evident from the code, there is no check to ensure that the caller's balance (
balanceOf(caller)
) is greater than or equal to theamtRToken
being melted.Tools Used
Manual review
Recommended Mitigation Steps
Add a balance check in the
melt()
function to ensure that the caller has a sufficient balance to perform the melting operation.Assessed type
Invalid Validation