Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Missing Distribution Logic

ChainDefenders

Summary

In the StabilityPool.sol contract the depositRAACFromPool function is missing the logic to distribute RAAC tokens deposited from the liquidity pool, which can lead to improper allocation of these tokens.

Vulnerability Details

The vulnerability arises from the absence of distribution logic in the depositRAACFromPool function. When RAAC tokens are deposited from the liquidity pool, they are not properly allocated to the managers or markets based on their respective allocations. This can result in an accumulation of RAAC tokens in the contract without being distributed to the intended recipients.

Impact

Without proper distribution, the RAAC tokens deposited from the liquidity pool will not reach the managers or markets as intended. This can lead to a lack of incentives for managers and markets, potentially affecting their participation and performance. Additionally, the accumulation of undistributed RAAC tokens in the contract can lead to governance and financial discrepancies, undermining the trust and integrity of the protocol.

Tools Used

Manual Review

Recommendations

To mitigate this vulnerability, implement the distribution logic in the depositRAACFromPool function. This logic should allocate the deposited RAAC tokens to the managers and markets based on their respective allocations. Here is an example of how to implement this:

function depositRAACFromPool(uint256 amount) external onlyLiquidityPool validAmount(amount) {
uint256 preBalance = raacToken.balanceOf(address(this));
raacToken.safeTransferFrom(msg.sender, address(this), amount);
uint256 postBalance = raacToken.balanceOf(address(this));
if (postBalance != preBalance + amount) revert InvalidTransfer();
// Distribute RAAC tokens to managers based on their allocation
for (uint256 i = 0; i < managerList.length; i++) {
address manager = managerList[i];
uint256 managerShare = (amount * managerAllocation[manager]) / totalAllocation;
if (managerShare > 0) {
raacToken.safeTransfer(manager, managerShare);
}
}
// Distribute RAAC tokens to markets based on their allocation
for (uint256 i = 0; i < supportedMarkets.length; i++) {
address market = supportedMarkets[i];
uint256 marketShare = (amount * marketAllocations[market]) / totalAllocation;
if (marketShare > 0) {
raacToken.safeTransfer(market, marketShare);
}
}
emit RAACDepositedFromPool(msg.sender, amount);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

StabilityPool::calculateRaacRewards uses contract balance for reward calculation, incorrectly including tokens meant for manager allocation - Manager allocation not implemented

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

StabilityPool::calculateRaacRewards uses contract balance for reward calculation, incorrectly including tokens meant for manager allocation - Manager allocation not implemented

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!