Core Contracts

Summary

The RAACMinter::mintRewards function is never called within the StabilityPool contract, preventing the distribution of RAAC rewards. Since this function can only be invoked by the StabilityPool, and no call to it exists within the StabilityPool contract, the reward mechanism is effectively non-functional.

Vulnerability Details

The mintRewards function is designed to mint and distribute RAAC rewards, but it contains an access control restriction that only allows the stabilityPool contract to call it. However, within the StabilityPool contract, there are no calls to RAACMinter::mintRewards, making it impossible for rewards to be distributed as intended.

Code Reference: https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/minters/RAACMinter/RAACMinter.sol#L181

Lack of Invocation in StabilityPool

A review of the StabilityPool contract shows no function that calls mintRewards. As a result:

• Rewards that should be distributed remain locked.

• The protocol's reward distribution mechanism is non-functional.

• Participants expecting rewards do not receive them, leading to potential dissatisfaction and a failure in protocol incentives.

Steps to Reproduce

1. Deploy the RAACMinter contract.

2. Attempt to claim rewards through StabilityPool.

3. Observe that no RAAC tokens are distributed since mintRewards is never called.

Impact

• Complete Blockage of Reward Distribution: No rewards are ever minted or transferred to users.

• Protocol Incentive Failure: Since rewards are a key part of the system, users may be discouraged from participating.

Tools Used

Manual Review

Recommendations

Ensure mintRewards is called in StabilityPool