Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

`StabilityPool::calculateRaacRewards()` assumes same decimals for `RToken` and `DEToken`

s4muraii77

Summary

StabilityPool::calculateRaacRewards() assumes same decimals for RToken and DEToken

Vulnerability Details

When computing the amount of DEToken to mint based on the RToken amount, we use the following code:

uint256 scalingFactor = 10 ** (18 + deTokenDecimals - rTokenDecimals);

The code clearly expects cases where the DEToken and the RToken decimals differ. The issue is that upon computing rewards, we have the following function:

function calculateRaacRewards(address user) public view returns (uint256) {
uint256 userDeposit = userDeposits[user];
uint256 totalDeposits = deToken.totalSupply();
uint256 totalRewards = raacToken.balanceOf(address(this));
if (totalDeposits < 1e6) return 0;
return (totalRewards * userDeposit) / totalDeposits;
}

userDeposits is increased by the RToken provided upon deposits. This means that userDeposit and totalDeposits are different token amounts as totalDeposits is the supply of DEToken. If the decimals differ which is a handled and expected case in the code, then the calculations will be incorrect as userDeposit might be with 6 decimals while totalDeposits can be in 18 decimals.

Impact

Users will receive a lot less rewards or a lot more rewards depending on which token has more decimals

Tools Used

Manual Review

Recommendations

Normalize the decimals

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.