Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Incorrect Reward Calculation Due to Improper Use of Contract Balance in `calculateRaacRewards` Function

0xslowbug

Summary

The calculateRaacRewards function calculates user rewards based on the total balance of the raacToken held by the contract. However, this approach is flawed because not all tokens in the contract balance are intended for rewards. Some tokens may be allocated for other purposes, such as distributing to managers or other operational needs. This leads to inflated reward calculations, which can deplete funds meant for other uses and disrupt the protocol's intended functionality. The rewards should instead be tracked based on the tokens minted by the raacMinter and allocated specifically for user rewards.

Affected Code: StabilityPool::CalculateRaacReward

Vulnerability Details

The calculateRaacRewards function calculates rewards as follows:

function calculateRaacRewards(address user) public view returns (uint256) {
uint256 userDeposit = userDeposits[user];
uint256 totalDeposits = deToken.totalSupply();
// @audit Not all tokens minted in the pool are from rewards
uint256 totalRewards = raacToken.balanceOf(address(this));
if (totalDeposits < 1e6) return 0;
return (totalRewards * userDeposit) / totalDeposits;
}

Impact:

  1. Incorrect Reward Calculation:

    • The function uses the total balance of raacToken in the contract (raacToken.balanceOf(address(this))) to calculate rewards.

    • This includes tokens that are not intended for rewards, such as tokens allocated for managers or other operational purposes.

  2. Inflated Rewards:

    • Users receive rewards based on the entire contract balance, leading to inflated rewards that deplete funds meant for other uses.

  3. Impact on Other Functions:

    • The depositRAACFromPool function deposits raacToken into the contract for distribution to managers, but the inflated rewards calculation can consume these funds, disrupting the intended distribution.

Tools Used

  • Manual code review

Recommendations

To fix the issue, the calculateRaacRewards function should only consider the portion of the contract balance that is specifically allocated for rewards minted by the raacMinter. This can be achieved by maintaining a separate state variable to track reward-specific funds.

Updated Code:

uint256 public totalMintedRewards; // Tracks rewards minted by raacMinter
function _mintRAACRewards() internal {
if (address(raacMinter) != address(0)) {
uint256 preBalance = raacToken.balanceOf(address(this));
raacMinter.tick();
uint256 postBalance = raacToken.balanceOf(address(this));
totalMintedRewards += (postBalance - preBalance); // Track newly minted rewards
}
}
function calculateRaacRewards(address user) public view returns (uint256) {
uint256 userDeposit = userDeposits[user];
uint256 totalDeposits = deToken.totalSupply();
if (totalDeposits < 1e6) return 0;
// Use reward-specific allocation instead of total balance
return (totalMintedRewards * userDeposit) / totalDeposits;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

StabilityPool::calculateRaacRewards uses contract balance for reward calculation, incorrectly including tokens meant for manager allocation - Manager allocation not implemented

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

StabilityPool::calculateRaacRewards uses contract balance for reward calculation, incorrectly including tokens meant for manager allocation - Manager allocation not implemented

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.