Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing check for existing tokens in `LendingPool::setStabilityPool`, can lead to permanent lock of tokens.

tdey

Vulnerability details:

The LendingPool::setStabilityPool function updates the stability pool address without verifying whether the current pool holds rTokens.
Since:

The Stability Pool contract allows users to deposit rToken and receive deToken, as well as withdraw their rToken and RAAC rewards.
If the pool is updated while tokens are still present, these tokens will become permanently locked, as there is no mechanism to retrieve them after the address change.

Impact

Any tokens present in the old stability pool will be permanently locked.

Reccomended mitigation

Before updating the stability pool, ensure it has a zero balance of rTokens. If any tokens remain, prevent the update.

function setStabilityPool(address newStabilityPool) external onlyOwner {
if (newStabilityPool == address(0)) revert AddressCannotBeZero();
if (newStabilityPool == stabilityPool) revert SameAddressNotAllowed();
// Check that the current stability pool is empty before updating
+++ uint256 currentBalance = rToken.balanceOf(stabilityPool);
+++ if (currentBalance > 0) revert StabilityPoolNotEmpty();
address oldStabilityPool = stabilityPool;
stabilityPool = newStabilityPool;
emit StabilityPoolUpdated(oldStabilityPool, newStabilityPool);
}

This check ensures that no tokens remain in the old stability pool before updating its address, preventing accidental token loss.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.