RAACMinter: wrong calculation of UtilizationRate
Summary
The RAACMinter.getUtilizationRate() function calculates the utilization rate incorrectly because lendingPool.getNormalizedDebt() returns reserve.usageIndex instead of the actual total borrowed amount. This results in an inaccurate utilization rate, leading to incorrect emission rate calculations for RAAC tokens.
Vulnerability Details
The problem gets serious because RAACMinter is relied on the result of LendingPool.getNormalizedDebt() .
This is the execution path:
RAACMinter.tick > updateEmissionRate() > calculateNewEmissionRate() > getUtilizationRate() > lendingPool.getNormalizedDebt()
In utilization rate calculation:
totalBorrowed equals to usageIndex (which is > 1 RAY)
totalDeposits is balance of RAAC tokens (which can be e18 or other decimals)
So utilization rate can be any number from 0 to 1e9 based on the token decimals and usageIndex.
NOTE: It also assumes that decimals of totalBorrowed (asset) and totalDeposits (rTokens) are same.
Impact
Wrong emission rate will lead to unfair distribution of RAAC tokens among users
Tools Used
vscode
Recommendations
Change LendingPool.getNormalizedDebt() function to return actual amount of totalDebts
Lead Judging Commences
RAACMinter::getUtilizationRate incorrectly mixes stability pool deposits with lending pool debt index instead of using proper lending pool metrics
RAACMinter::getUtilizationRate incorrectly mixes stability pool deposits with lending pool debt index instead of using proper lending pool metrics
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.