Core Contracts

Summary

The calculateRaacRewards function in the StabilityPool contract mixes token references, it uses userDeposit recorded in RToken units and calculates total deposits based on deToken.totalSupply(). Although RToken and DEToken maintain a 1:1 peg with matching decimals, this inconsistency can lead to code clarity and maintainability issues, potentially causing confusion or errors in future updates.

Vulnerability Details

• The function relies on userDeposits, which record deposits in RToken units (i.e., the actual tokens transferred into the contract).

• It then uses deToken.totalSupply() for total deposit calculation. Even though DEToken is minted in a 1:1 ratio with RToken deposits, this mixing of references assumes that both tokens share exactly the same decimal precision and behavior.

• Such inconsistent references introduce an implicit dependency on the token design; if future modifications change any assumption about the relationship or decimals of RToken and DEToken, reward distribution might be affected.

• While the current design enforces a 1:1 peg, the use of two different token sources in the same arithmetic operation is against best practices in contract development, as it reduces code clarity, increases complexity, and may lead to subtle bugs.

Impact

Due to the 1:1 peg of RToken and DEToken (with matching decimals), the immediate financial or security impact is low. However, the inconsistency in using different token metrics for the same calculation:

• May lead to maintenance challenges or errors during future extensions.

• Impacts overall code quality and clarity, which indirectly influences long-term protocol robustness.

Tools Used

Manual code review

Recommendations

Replace deToken.totalSupply() with rToken.balanceOf(address(this)) to ensure both user deposits and total deposits are measured using the same token unit.