Incorrect utilization rate calculation in RAACMinter#getUtilizationRate()
Summary
The RAACMinter#getUtilizationRate() incorrectly calculates utilization rate.
Vulnerability Details
getNormalizedDebt is reserve.usageIndex in LendingPool and is calculated in ReserveLibrary.
totalDeposits has decimals(1e18), but getNormalizedDebt() has decimals(1e27).
totalBorrowed * 100 >= 1e29 -> Deposit RToken amount 1e29 = 1e11 crvUSD(1e11 USD)
Almost 1e11 USD will be deposited to the StabilityPool and at that time utilization rate will be 100.
As a result, utilization rate will be always much greater than 100 and increasing emissionRate will be leading to maxEmissionRate.
Utilization rate means RToken usage rate of StabilityPool. RToken can be received in LendingPool.
Due to RToken is an implementation of the interest-bearing token, user locks RTokens and after a while he will receive interest. This means that protocol should pay for that. But if user deposits RTokens to the StabilityPool, he couldn't receive interests, but instead of it, he ccould receive RAACTokens.
According to this logic, rate = RToken.balanceOf(StabilityPool) * 100 / RToken.balanceOf(LendingPool).
Impact
Protocol loss.
Unintentional behavior.
Due to emissionRate = maxEmissionRate, RAACToken inflates.
Tools Used
manual
Recommendations
Make getTotalDeposits() in LendingPool.
Lead Judging Commences
RAACMinter::getUtilizationRate incorrectly mixes stability pool deposits with lending pool debt index instead of using proper lending pool metrics
RAACMinter::getUtilizationRate incorrectly mixes stability pool deposits with lending pool debt index instead of using proper lending pool metrics
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.