Submission Details
Severity:
Incorrect Denominator in `RAACMinter::getUtilizationRate` Leads to Overestimation
Summary
The RAACMinter::getUtilizationRate function uses an incorrect denominator (totalDeposits alone) instead of totalDeposits + totalBorrowed, causing the utilization rate to be mathematically overstated.
Vulnerability Details
function getUtilizationRate() internal view returns (uint256) {
uint256 totalBorrowed = lendingPool.getNormalizedDebt();
uint256 totalDeposits = stabilityPool.getTotalDeposits();
if (totalDeposits == 0) return 0;
return (totalBorrowed * 100) / totalDeposits; <==@found
}
Impact
Protocol Parameter Distortion:Utilization rate (UR) values exceed 100% when totalBorrowed > totalDeposits
Risk Model Failure:Incorrect UR affects interest rate curves and collateral requirements
Tools Used
Manual Review
Recommendations
Correct Denominator Implementation As Follows:
function getUtilizationRate() internal view returns (uint256) {
uint256 totalBorrowed = lendingPool.getNormalizedDebt();
uint256 totalDeposits = stabilityPool.getTotalDeposits();
if (totalDeposits == 0) return 0;
- return (totalBorrowed * 100) / totalDeposits;
+ return (totalBorrowed * 100) / (totalDeposits + totalBorrowed);
}
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.