Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Potential RAAC Token Drain from StabilityPool due to Conversion logic and withdraw cooldown time

anomX

Summary

The StabilityPool contract has vulnerability in its token conversion logic where the calculateRcrvUSDAmount and calculateDeCRVUSDAmount functions implement a 1:1 mapping ratio. This design flaw, combined with the calculateRaacRewards function, could allow malicious users to drain RAAC tokens from the contract.

Vulnerability Details

Source

Lines 191-195 - calculateDeCRVUSDAmount function
Lines 201-205 - calculateRcrvUSDAmount function
*Lines 251 - 259 - calculateRaacRewards function

The vulnerability stems from three key components:

The calculateDeCRVUSDAmount function returns a 1:1 ratio for token conversion:

function calculateDeCRVUSDAmount(uint256 rcrvUSDAmount) public view returns (uint256) {

uint256 scalingFactor = 10**(18 + deTokenDecimals - rTokenDecimals);

return (rcrvUSDAmount * scalingFactor) / getExchangeRate();

}

The calculateRcrvUSDAmount function also maintains the same 1:1 ratio:

function calculateRcrvUSDAmount(uint256 deCRVUSDAmount) public view returns (uint256) {

uint256 scalingFactor = 10**(18 + rTokenDecimals - deTokenDecimals);

return (deCRVUSDAmount * getExchangeRate()) / scalingFactor;

}

function getExchangeRate() public view returns (uint256) {

__snip___

return 1e18;

}

The calculateRaacRewards function uses these values to determine rewards.

function calculateRaacRewards(address user) public view returns (uint256) {

uint256 userDeposit = userDeposits[user];

uint256 totalDeposits = deToken.totalSupply();

uint256 totalRewards = raacToken.balanceOf(address(this));

if (totalDeposits < 1e6) return 0;

return (totalRewards * userDeposit) / totalDeposits;

}

since the getExchangeRate function return 1e18 this cancels out the scalingFactor since both rToken and deToken are 18 decimal

Proof of Concept

Attacker deposits 1000 rTokens into the StabilityPool using the deposit function.
The attacker then calls the calculateDeCRVUSDAmount function to get 1000 deTokens, exploiting the 1:1 mapping ratio.
With the 1000 deTokens, the attacker calls the withdraw function to retrieve their original deposit of 1000 rTokens.
The attacker then calls the calculateRaacRewards function to claim 100 RAAC Token rewards, using the 1:1 mapping ratio and the 100 RAAC reward rate. (assume the RAAC calculated is 100 RAAC Token)
The attacker repeats steps 1-4, accumulating more RAAC tokens while maintaining their original capital of 1000 rTokens.

Impact

Potential drain of RAAC tokens from the contract
imbalance in the reward distribution system
Unfair advantage for malicious users over honest participants

Tools Used

Manual code review

Recommendations

Implement a better token conversion ratio.

Additionally:

Implement cooldown periods between deposits and withdrawals
Consider implementing TWA reward

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

StabilityPool::calculateRaacRewards is vulnerable to just in time deposits

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!