`StabilityPool::calculateRaacRewards()` does not take into account dynamic `deToken` and `rToken` decimals
Summary
The StabilityPool allows for dynamic decimal settings on the rToken and deToken tokens, and incorporates functions to calculate what X amount of token will equal for the other token when depositing and withdrawing. However, these calculations are not carried out when RAAC rewards are being calculated in calculateRaacRewards(...).
Vulnerability Details
Let's look at the StabilityPool storage variables:
https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/pools/StabilityPool/StabilityPool.sol#L54-L56
From the above, we can confirm that the protocol plans to use different variables for their deToken and rToken implementations. This is further confirmed by the way deposits and withdraws are being made. However, the calculateRaacRewards(...) function does not carry out the same conversions and assumes that deToken and rToken wil always have the same decimals, leading to issues in the cases when they are not:
https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/pools/StabilityPool/StabilityPool.sol#L251-L259
If for example rToken is with 18 decimals and deToken is with 6 decimals, we will have (Xe18 * Ye18) / Ze6 = ((X*Y) / Z)e30 -> overinflation as rewards must be in RAACTokens, which is with 18 decimals. If we have the other way areound (Xe18 * Ye6) / Ze18 = ((X*Y) / Z)e6 -> dust amount of RAACToken rewards
Impact
Incorrect reward calculations.
Tools Used
Manual review.
Recommendations
Carefully align deToken and rToken decimals when calculating RAACToken rewards`
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.