Summary

The RAACPrimeRateOracle contract could allow malicious actor to manipulate the prime rate through oracle manipulation attacks.

Vulnerability Details

The contract depends on Chainlink to fetch the prime rate, however this could be vulnerable to oracle manipulation in several ways.

Below are few potential exploits examples that could happen:

Scenario 1: Prime rate manipulation to 0%

How?

Since there is no min prime rate and attacker can potential exploits Chainlink function to return 0% as prime rate. This could allow borrowers to borrow unlimited funds with not interest, they can drain the pool and leave the protocol holding bad debt.

Mitigation: Add min prime rate

==

Scenario 2: Prime rate manipulation to 1000%

How?

The oracle suddenly returns an extreme value, say 1000%, meaning borrowers are immediately liquidated.

Mitigation: Add max prime rate

==

Scenario 3: Delayed oracle update

How?

Attacker can time their borrowings when the prime rate is stale, if the rate hasn’t updated they can borrow at the old one, low rate.

Mitigation: Require a minimum update frequency

Impact

Financial impact of zero-rate attacks

Liquidation cascade risks

Protocol stability effects

Tools Used

Manual review

Recommendations

MIN_RATE (1%) prevents zero-interest attacks

MAX_RATE (1000%) protects against extreme manipulations

Use multiple oracle sources (not just one API).

Ensure prime rate updates at least every 24 hours (MAX_UPDATE_DELAY