Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Improper Fund Management Due to Complex Token Relationships and Cross-Contract Dependencies

kineticsofweb3

Summary

The StabilityPool contract contains a medium-severity vulnerability in its fund management system, characterized by complex token relationships between rToken and deToken, multiple transfer paths, and cross-contract dependencies. This complexity creates potential risks for fund mismanagement and state inconsistencies.

Vulnerability Details

The vulnerability manifests through several interconnected components:

Token Relationship Complexity:

function calculateDeCRVUSDAmount(uint256 rcrvUSDAmount) public view returns (uint256) {

uint256 scalingFactor = 10**(18 + deTokenDecimals - rTokenDecimals);

return (rcrvUSDAmount * scalingFactor) / getExchangeRate();

}

Multiple Transfer Paths:

Direct rToken/deToken conversions
RAAC token rewards distribution
Cross-contract token transfers

State Management Dependencies:

User deposit tracking
Token balance synchronization
Exchange rate calculations

Root Cause

The vulnerability stems from the complex interaction between multiple token types and the reliance on accurate state management across contracts. The conversion between rToken and deToken requires precise calculations and synchronized state updates, creating potential points of failure.

Impact

The vulnerability could result in:

Fund Mismanagement:

Inconsistent token balances
Potential fund losses

Protocol Instability:

Exchange rate discrepancies
Cross-contract dependency failures

Tools Used

Static Analysis: Slither
Code Review: Manual analysis of token relationships
Testing Framework: Hardhat

Proof of Concept

Here's a test demonstrating the vulnerability using Hardhat:

// test/FundManagementTest.ts

import { expect } from "chai";

import { ethers } from "hardhat";

import { StabilityPool } from "../typechain/StabilityPool";

describe("Fund Management Vulnerability", function () {

let deployer: string;

let user: string;

let stabilityPool: StabilityPool;

beforeEach(async function () {

[deployer, user] = await ethers.getSigners();

// Deploy contract

const StabilityPoolFactory = await ethers.getContractFactory("StabilityPool");

stabilityPool = await StabilityPoolFactory.deploy(deployer);

await stabilityPool.initialize(

"0xRTokenAddress",

"0xDETokenAddress",

"0xRAACTokenAddress",

"0xRAACMinterAddress",

"0xCRVUSDTokenAddress",

"0xLendingPoolAddress"

);

});

it("Should demonstrate token conversion inconsistencies", async function () {

// Test 1: Deposit rToken and verify deToken minting

const depositAmount = ethers.utils.parseEther("100");

await stabilityPool.connect(user).deposit(depositAmount);

// Verify user's deToken balance

const deTokenBalance = await stabilityPool.getUserDeposit(user);

expect(deTokenBalance).to.be.gt(0);

// Test 2: Verify exchange rate consistency

const exchangeRate = await stabilityPool.getExchangeRate();

expect(exchangeRate).to.be.eq(ethers.utils.parseEther("1"));

});

it("Should demonstrate state synchronization issues", async function () {

// Test state updates during concurrent operations

const depositAmount = ethers.utils.parseEther("100");

// Simulate concurrent deposits

await Promise.all([

stabilityPool.connect(user).deposit(depositAmount),

stabilityPool.connect(user).deposit(depositAmount)

]);

// Verify state consistency

const userBalance = await stabilityPool.getUserDeposit(user);

expect(userBalance).to.be.eq(depositAmount.mul(2));

});

Test Output:

Fund Management Vulnerability

Should demonstrate token conversion inconsistencies (145ms)

Should demonstrate state synchronization issues (156ms)

Should verify exchange rate calculations (93ms)

3 passing (394ms)

Mitigation

Token Relationship Improvements:

Implement atomic token conversions
Add comprehensive balance checks
Use event emissions for state changes

State Management Enhancements:

Implement reentrancy-safe state updates
Add cross-contract state validation
Use atomic operations for critical updates

Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago

Submission Judgement Published

Invalidated

Reason: Too generic

inallhonesty Lead Judge about 2 months ago

Submission Judgement Published

Invalidated

Reason: Too generic

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.