Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

wrong value used in `RAACMinter::getUtilizationRate` potentially making incorrect RAACToken rewards emission rate

farismaulana

Summary

RAACMinter::tickare used to calculate the should be emission rate for RAACToken rewards, but this function has flaw when calculating the utilization rate of whole system, as the result always result in high percentage.

Vulnerability Details

culprit lies inside the getUtilizationRatefunction where some crucial function use this like the tickfunction:

RAACMinter.sol#L241-L246

/**
* @dev Calculates the current system utilization rate
* @return The utilization rate as a percentage (0-100)
*/
function getUtilizationRate() internal view returns (uint256) {
@> uint256 totalBorrowed = lendingPool.getNormalizedDebt();
@> uint256 totalDeposits = stabilityPool.getTotalDeposits();
if (totalDeposits == 0) return 0;
return (totalBorrowed * 100) / totalDeposits;
}

first it wrongly retrieved totalBorrowedby calling lendingPool.getNormalizedDebt()where the result is only the current debt index. usually in RAY (eg: 1.1e27).

second, the totalDeposits only count the rToken deposit inside the stability pool, not the whole system, where it should be actually retrieve the total asset deposited in the LendingPoolas this utilization rate is derived from the value of borrowed asset vs deposited asset.

this stated in the documentation that RAACMinter interaction with LendingPool is for getting system utilization data.

Impact

by dividing the index and only the deposited rToken in stability pool would lead to high amount of false utilization rate, this would lead to incorrect emission rate for RAAC Token rewards when tickfunction is called, resulting in diluted amount of reward and non functional dynamic emission as stated in the documentation. diluted amount of reward would makes the potential benefit reduced for user who depositing their rToken in stability pool.

Tools Used

manual review

Recommendations

retrieve the reserve.totalUsageand reserve.totalLiquidityfrom lending pool then use it to correctly calculate the utilization rate in RAACMinter:

diff --git a/contracts/core/pools/LendingPool/LendingPool.sol b/contracts/core/pools/LendingPool/LendingPool.sol
index b02fc97..1f6bce1 100644
--- a/contracts/core/pools/LendingPool/LendingPool.sol
+++ b/contracts/core/pools/LendingPool/LendingPool.sol
@@ -610,6 +621,14 @@ contract LendingPool is ILendingPool, Ownable, ReentrancyGuard, ERC721Holder, Pa
return reserve.usageIndex;
}
+ function getTotalBorrowed() external view returns (uint256) {
+ return reserve.totalUsage;
+ }
+
+ function getTotalDeposits() external view returns (uint256) {
+ return reserve.totalLiquidity;
+ }
+
diff --git a/contracts/core/minters/RAACMinter/RAACMinter.sol b/contracts/core/minters/RAACMinter/RAACMinter.sol
index 2cfe402..3b7b2c2 100644
--- a/contracts/core/minters/RAACMinter/RAACMinter.sol
+++ b/contracts/core/minters/RAACMinter/RAACMinter.sol
@@ -239,8 +245,8 @@ contract RAACMinter is IRAACMinter, Ownable, ReentrancyGuard, Pausable, AccessCo
* @return The utilization rate as a percentage (0-100)
*/
function getUtilizationRate() internal view returns (uint256) {
- uint256 totalBorrowed = lendingPool.getNormalizedDebt();
- uint256 totalDeposits = stabilityPool.getTotalDeposits();
+ uint256 totalBorrowed = lendingPool.getTotalBorrowed();
+ uint256 totalDeposits = lendingPool.getTotalDeposits();
if (totalDeposits == 0) return 0;
return (totalBorrowed * 100) / totalDeposits;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACMinter::getUtilizationRate incorrectly mixes stability pool deposits with lending pool debt index instead of using proper lending pool metrics

inallhonesty Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACMinter::getUtilizationRate incorrectly mixes stability pool deposits with lending pool debt index instead of using proper lending pool metrics

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.