Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

RAAC rewards are calculated incorrectly

OpaBatyo

Summary

User deposits and total deposits are denominated in 2 different numbers, dividing them will cause issues

Details

Pending rewards in the stability pool are calculated via calculateRaacRewards

function calculateRaacRewards(address user) public view returns (uint256) {

uint256 userDeposit = userDeposits[user];

uint256 totalDeposits = deToken.totalSupply();

uint256 totalRewards = raacToken.balanceOf(address(this));

if (totalDeposits < 1e6) return 0;

return (totalRewards * userDeposit) / totalDeposits;

}

However userDeposit is denominated in rToken, whereas totalDeposits is in deToken which are expected to have different decimals, as seen in the deposit method

function deposit(uint256 amount) external nonReentrant whenNotPaused validAmount(amount) {

_update();

rToken.safeTransferFrom(msg.sender, address(this), amount);

uint256 deCRVUSDAmount = calculateDeCRVUSDAmount(amount); // decimal conversion rToken -> deToken

deToken.mint(msg.sender, deCRVUSDAmount); // @note deToken totalSupply goes up by deCRVUSDAmount

userDeposits[msg.sender] += amount; // @note userDeposits is updated with amount of rToken deposited

_mintRAACRewards();

emit Deposit(msg.sender, amount, deCRVUSDAmount);

}

This creates 2 issues:

rToken has more decimals than deToken -> complete DoS on withdrawals due to attempting to transfer more than what the contract holds
deToken has more decimals than rToken -> users will have their rewards greatly reduced

Impact

Loss of funds, DoS, broken core functionality

Mitigation

Either perform a decimal conversion or make sure that userDeposits and totalDeposits are denominated in the same token

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!