Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Funds Deposited to Stability Pool Not Distributed to Managers

0xslowbug

Summary

The depositRAACFromPool function in the Stability Pool is designed to receive raacToken deposits from the Liquidity Pool and distribute them to managers based on their allocation. However, the logic for distributing funds to managers is not implemented, as indicated by the TODO comment. As a result, funds deposited into the Stability Pool are not distributed to managers as intended. Instead, these funds remain in the Stability Pool and may be incorrectly distributed as rewards, deviating from the protocol's design and disrupting the intended fund allocation.

Affected Code: StabilityPool::depositRAACFromPool

Vulnerability Details

The depositRAACFromPool function is as follows:

function depositRAACFromPool(uint256 amount) external onlyLiquidityPool validAmount(amount) {
uint256 preBalance = raacToken.balanceOf(address(this));
raacToken.safeTransferFrom(msg.sender, address(this), amount);
uint256 postBalance = raacToken.balanceOf(address(this));
if (postBalance != preBalance + amount) revert InvalidTransfer();
// TODO: Logic for distributing to managers based on allocation
emit RAACDepositedFromPool(msg.sender, amount);
}

Issues:

  1. Missing Distribution Logic:

    • The function includes a TODO comment indicating that the logic for distributing funds to managers based on their allocation is not implemented.

    • As a result, funds deposited into the Stability Pool are not distributed to managers as intended.

  2. Incorrect Fund Usage:

    • Funds that should be allocated to managers remain in the Stability Pool and may be incorrectly distributed as rewards.

    • This deviates from the protocol's design and disrupts the intended fund allocation.

  3. Impact on Managers:

    • Managers do not receive their allocated funds, leading to potential financial losses and dissatisfaction.

Example:

  • Deposit: The Liquidity Pool deposits 1000 raacToken into the Stability Pool.

  • Intended Behavior:

    • The funds should be distributed to managers based on their allocation.

  • Actual Behavior:

    • The funds remain in the Stability Pool and may be distributed as rewards, disrupting the intended fund allocation.

Impact

  • Disrupted Fund Allocation: Funds intended for managers are not distributed, leading to potential financial losses for managers.

  • Incorrect Reward Distribution: Funds meant for managers may be incorrectly distributed as rewards, inflating user rewards and depleting funds allocated for other purposes.

  • Protocol Integrity: The protocol's functionality is compromised, leading to a loss of trust among managers and users.

Tools Used

  • Manual code review

Recommendations

Implement Distribution Logic

The depositRAACFromPool function should include logic to distribute funds to managers based on their allocation. Here’s an example implementation:

Updated Code:

function depositRAACFromPool(uint256 amount) external onlyLiquidityPool validAmount(amount) {
uint256 preBalance = raacToken.balanceOf(address(this));
raacToken.safeTransferFrom(msg.sender, address(this), amount);
uint256 postBalance = raacToken.balanceOf(address(this));
if (postBalance != preBalance + amount) revert InvalidTransfer();
// Distribute funds to managers based on their allocation
uint256 remainingAmount = amount;
for (uint256 i = 0; i < managers.length; i++) {
address manager = managers[i];
uint256 allocation = managerAllocation[manager];
uint256 managerAmount = (amount * allocation) / totalAllocation;
if (managerAmount > 0) {
raacToken.safeTransfer(manager, managerAmount);
remainingAmount -= managerAmount;
}
}
// Emit event
emit RAACDepositedFromPool(msg.sender, amount);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

StabilityPool::calculateRaacRewards uses contract balance for reward calculation, incorrectly including tokens meant for manager allocation - Manager allocation not implemented

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

StabilityPool::calculateRaacRewards uses contract balance for reward calculation, incorrectly including tokens meant for manager allocation - Manager allocation not implemented

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.