Utilization is wrongly computed and would vary in magnitude
Summary
Utilization is wrongly computed and would vary in magnitude
Vulnerability Details
getUtilizationRate computes the utilization wrong as it doesn't take into account percentage increases, but it uses total balance increases instead. In simple terms, deepening on how much rToken.balanceOf(address(this)) there is the utilization rate would vary by a few orders of magnitude.
Example:
Stability pool can have 1k tokens - 1e21 and utilization would be
1e27 * 100 / 1e21 = 1e8Stability pool can have 100k tokens - 1e23 and utilization would be
1e27 * 100 / 1e23 = 1e6Stability pool can have 1m tokens - 1e24 and utilization would be
1e27 * 100 / 1e24 = 1e5
Here utilization varies from 10_000 (1e5) to 100_000_000 (1e8), which are orders of magnitude different.
he main issue would be in calculateNewEmissionRate as it must have a fixed min, target and max utilization. However since these 2 numbers are so much different this would mean that either utilization is above max or bellow min.
Impact
is used inside calculateNewEmissionRate, which would impact the amount of rewards that are calculated.
Utilization is always either bellow min or above max
Tools Used
Manual review
Recommendations
User percentage based utilization instead.
Lead Judging Commences
RAACMinter::getUtilizationRate incorrectly mixes stability pool deposits with lending pool debt index instead of using proper lending pool metrics
RAACMinter::getUtilizationRate incorrectly mixes stability pool deposits with lending pool debt index instead of using proper lending pool metrics
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.