Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Hardcoded BLOCKS_PER_DAY in RAACMinter can make the minting proccess uneven on different chains

oxaudron

Summary

As per the Compatibilities this will contracts will be deployed on All EVM Compatible chains. However there is a flawed assumption taken into account that all EVM chains block number has on average 12 seconds per block time. However thats not the case as some chains have less block creation time compared to standard (~12 sec). And also some chains have different upgradation mechanism because of which, it could make a discrepancy in the minting process and calculations.

However this differs for every different chains :

  • On Binance Smart Chain, the average block creation time is 3 seconds

  • According to Arbitrum Docs block.number returns the most recently synced L1 block number. Once per minute the block number in the Sequencer is synced to the actual L1 block number. This period could be abused to completely bypass this protection.

  • It also presents an issue for Optimism because each transaction is it's own block. No matter what value is used for the block delay, the user can pad enough tiny transactions to allow them to close the trade immediately.

Vulnerability Details

This is the variable initialized in RAACMinter, where it assumes that block time changes every 12 seconds :

uint256 public constant BLOCKS_PER_DAY = 7200; // Assuming 12-second block time

In the tick() function the amountToMint is calculated based on emissionRate and blocks (currentBlock - lastUpdateBlock). And the emissionRate is calculated as INITIAL_RATE / BLOCKS_PER_DAY.

function tick() external nonReentrant whenNotPaused {
if (emissionUpdateInterval == 0 || block.timestamp >= lastEmissionUpdateTimestamp + emissionUpdateInterval) {
updateEmissionRate();
}
uint256 currentBlock = block.number;
uint256 blocksSinceLastUpdate = currentBlock - lastUpdateBlock;
if (blocksSinceLastUpdate > 0) {
uint256 amountToMint = emissionRate * blocksSinceLastUpdate;
if (amountToMint > 0) {
excessTokens += amountToMint;
lastUpdateBlock = currentBlock;
raacToken.mint(address(stabilityPool), amountToMint);
emit RAACMinted(amountToMint);
}
}
}

Attack Scenario(for BSC chain) :

  • Deploy RAACMinter on a chain with 3s blocks.

  • Emission Miscalculation:

    Intended: 1000 RAAC/day ≈ 138.89 RAAC/block (7200 blocks)

    Actual: 28800 blocks/day → 138.89 * 28800 = 4,000,000 RAAC/day (4000% inflation)

  • RAAC tokens minted excessively, crashing token value due to oversupply.

Also it would impact differently for different chains where the block.number upgrading mechanism is different.

Impact

  • In different chains, minting will differ to an extent which will highly impact the stability and will make it impact the integrity and result in loss for the procotol even.

Tools Used

Manual Review

Recommendations

  • Create different code for different chains which uses block.number details

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACMinter hardcoded BLOCKS_PER_DAY breaks cross-chain compatibility with variable token emission rates

Known issue LightChaser M12

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACMinter hardcoded BLOCKS_PER_DAY breaks cross-chain compatibility with variable token emission rates

Known issue LightChaser M12

Appeal created

dimah7 Auditor
7 months ago
inallhonesty Lead Judge
7 months ago
inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

RAACMinter hardcoded BLOCKS_PER_DAY breaks cross-chain compatibility with variable token emission rates

Known issue LightChaser M12

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!