Core Contracts

Summary

In the tick and _setLastUpdateBlock function in the RAACMinter contract relies on block.number to calculate the number of blocks elapsed since the last update. On the Arbitrum network, block.number returns the Layer 1 (L1) block number, which advances more slowly than Arbitrum's Layer 2 (L2) blocks. according to the arbitrium docs https://docs.arbitrum.io/build-decentralized-apps/arbitrum-vs-ethereum/block-numbers-and-time
The tick function is also used in the StabilityPool to mint RAAC rewards.

Vulnerability Details

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/minters/RAACMinter/RAACMinter.sol#L256-L275

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/pools/StabilityPool/StabilityPool.sol#L153-L159
https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/minters/RAACMinter/RAACMinter.sol#L110-L118

In Ethereum, block.number represents the current block number, incrementing with each new block approximately every 12 seconds. However, on Arbitrum, a Layer 2 scaling solution, block.number reflects the L1 Ethereum block number, not the faster L2 block number. Arbitrum's L2 blocks are produced more frequently, approximately every 0.25 seconds. Therefore, using block.number on Arbitrum does not accurately represent the passage of L2 blocks.

Impact

Since block.number corresponds to the slower L1 block progression, blocksSinceLastUpdate will be significantly lower than the actual number of L2 blocks that have passed. This miscalculation leads to a reduced amountToMint, affecting the intended token emission schedule. orders won`t decay as expected

Tools Used

Manual Review

Recommendations

Consider using ArbSys(100).arbBlockNumber() to retrieve the block number on arbitrium.