`getUtilizationRate` Does Not Consider Different Decimals
Summary
The function getUtilizationRate in the RAACMinter contract does not properly account for differences in token decimals. The issue arises because:
-
totalBorrowedis stored in RAY (27) decimals. -
totalDepositsis derived from RToken balance, which may have different decimals.
Relevant Code
Vulnerability Details
Example Scenario:
-
RTokenhas 6 decimals (1,000,000 = 1 RToken) -
totalBorrowedis 1000 (1000e27) -
totalDepositsis 2000 (2000e6) -
This results in (
totalBorrowed* 100) /totalDeposits= 5e22, way more than the intended range of 0 - 100
This will cause wrong calculations related to this utilization ratio.
Impact
Incorrect Emission Rate Calculation: calculateNewEmissionRate will use a wrong utilization rate leading to wrong calculations.
Tools Used
Manual Review
Recommendations
Ensure all token values are converted to the same decimal standard before calculations. Ensure at the end that the utilization rate is in the intended range.
Lead Judging Commences
RAACMinter::getUtilizationRate incorrectly mixes stability pool deposits with lending pool debt index instead of using proper lending pool metrics
RAACMinter::getUtilizationRate incorrectly mixes stability pool deposits with lending pool debt index instead of using proper lending pool metrics
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.