Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Mixing Manager and Market Allocations in a Single TotalAllocation Variable

cipherhawk

Overview

The StabilityPool contract supports two distinct administrative features:

  1. Manager Allocations:
    The contract allows the owner to add managers and assign them an allocation via functions such as addManager, removeManager, and updateAllocation.

  2. Market Allocations:
    Separately, the contract supports adding markets with specified allocations through addMarket, removeMarket, and updateMarketAllocation.

-->both sets of functions modify and rely on a single uint256 public totalAllocation variable. This conflation of allocations for managers and markets into one global variable introduces the risk of mis‑calculation or unintended interference between the two allocation systems.

Root Cause & Potential Impact

  • Conflated State:
    The same totalAllocation is updated in both manager‑related and market‑related functions. For example:

    • When a manager is added, totalAllocation += allocation; is executed.

    • Later, when a market is added, totalAllocation += allocation; is also executed.

    • Similarly, removals or updates for either managers or markets adjust the same totalAllocation.

  • Mis‑allocation Risk:
    If these two allocation mechanisms are meant to be independent, using a single variable may lead to a situation where:

    • The overall total allocation does not accurately reflect the intended distribution for either managers or markets.

    • An attacker or malicious administrator could manipulate one part (for instance, by adding or updating market allocations) to skew the global total and thereby influence reward distribution mechanisms that depend on totalAllocation.

  • Operational Confusion:
    External systems or interfaces that rely on getTotalAllocation() will receive a blended value, making it difficult to audit or verify proper reward distribution between managers and markets.

Foundry PoC / Illustrative Test

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.19;
import "forge-std/Test.sol";
contract AllocationMock {
uint256 public totalAllocation;
mapping(address => uint256) public managerAllocation;
mapping(address => bool) public managers;
mapping(address => uint256) public marketAllocations;
mapping(address => bool) public supportedMarkets;
// Manager functions
function addManager(address manager, uint256 allocation) public {
require(!managers[manager], "Manager exists");
managers[manager] = true;
managerAllocation[manager] = allocation;
totalAllocation += allocation;
}
// Market functions
function addMarket(address market, uint256 allocation) public {
require(!supportedMarkets[market], "Market exists");
supportedMarkets[market] = true;
marketAllocations[market] = allocation;
totalAllocation += allocation;
}
}
contract AllocationMockTest is Test {
AllocationMock public mock;
function setUp() public {
mock = new AllocationMock();
}
function testCombinedAllocation() public {
// Add a manager with allocation 100.
mock.addManager(address(0x1), 100);
// Add a market with allocation 200.
mock.addMarket(address(0x2), 200);
// The expected total allocation, if managed separately, might be 100 for managers and 200 for markets.
// However, combined in a single variable, totalAllocation is 300.
assertEq(mock.totalAllocation(), 300);
}
}

Note:
This test shows that the global totalAllocation becomes the sum of both managers’ and markets’ allocations. While the arithmetic is correct, it demonstrates that the two systems are merged, which may be unintentional if independent tracking was intended.

Mitigation

Recommended Fix:
Separate the tracking variables for manager allocations and market allocations. For example, declare:

uint256 public totalManagerAllocation;
uint256 public totalMarketAllocation;

Then update the respective functions so that:

  • Manager functions update totalManagerAllocation only.

  • Market functions update totalMarketAllocation only.

If a unified total is needed for a specific purpose, derive it from the sum of the two (e.g., totalUnifiedAllocation = totalManagerAllocation + totalMarketAllocation). This separation improves clarity and prevents one allocation system from unintentionally affecting the other.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

StabilityPool::calculateRaacRewards uses contract balance for reward calculation, incorrectly including tokens meant for manager allocation - Manager allocation not implemented

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

StabilityPool::calculateRaacRewards uses contract balance for reward calculation, incorrectly including tokens meant for manager allocation - Manager allocation not implemented

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!