Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

A Malicious Actor Can Manipulate RAAC Token Emission by Exploiting rToken Withdrawals and Deposits in StabilityPool

victortheoracle

Summary

A vulnerability exists in the way the system calculates and updates the RAAC token emission rate. By exploiting the calculation of the utilization rate, an attacker can manipulate the system into increasing the RAAC emission rate. This is achieved by withdrawing a large portion of rToken deposits to artificially spike the utilization rate, and then redepositing to benefit from the increased emissions.

Vulnerability Details

The RAACMinter contract determines the emission rate based on the utilization rate, which is calculated using:

function getUtilizationRate() internal view returns (uint256) {
uint256 totalBorrowed = lendingPool.getNormalizedDebt();
uint256 totalDeposits = stabilityPool.getTotalDeposits();
if (totalDeposits == 0) return 0;
return (totalBorrowed * 100) / totalDeposits;
}

Here, totalDeposits represents the total rToken deposits in the StabilityPool. When a user withdraws a large amount via the withdraw() function, totalDeposits drops significantly, causing the calculated utilization rate to spike. During the next call to the tick() function—which anyone can invoke—the system updates the emission rate based on this inflated utilization rate, thereby increasing the number of RAAC tokens minted per block.

function tick() external nonReentrant whenNotPaused {
if (emissionUpdateInterval == 0 || block.timestamp >= lastEmissionUpdateTimestamp + emissionUpdateInterval) {
updateEmissionRate();
}
uint256 currentBlock = block.number;
uint256 blocksSinceLastUpdate = currentBlock - lastUpdateBlock;
if (blocksSinceLastUpdate > 0) {
uint256 amountToMint = emissionRate * blocksSinceLastUpdate;
if (amountToMint > 0) {
excessTokens += amountToMint;
lastUpdateBlock = currentBlock;
raacToken.mint(address(stabilityPool), amountToMint);
emit RAACMinted(amountToMint);
}
}
}

In updateEmissionRate(), the system calls calculateNewEmissionRate(), which increases the rate if the utilization rate is above the target. Even though each update is capped at a 5% increase and the overall emission rate is limited to 2000 RAAC per day, an attacker can repeatedly:

  1. Withdraw a large deposit to spike the utilization rate.

  2. Trigger tick() to update the emission rate upward.

  3. Redeem and redeposit their funds so that the pool’s deposits return to normal while retaining the higher emission rate.

This cycle can be repeated over time, gradually pushing the emission rate to its cap and allowing the attacker to benefit from the extra minted RAAC tokens.

function calculateNewEmissionRate() internal view returns (uint256) {
uint256 utilizationRate = getUtilizationRate();
uint256 adjustment = (emissionRate * adjustmentFactor) / 100;
if (utilizationRate > utilizationTarget) {
uint256 increasedRate = emissionRate + adjustment;
uint256 maxRate = increasedRate > benchmarkRate ? increasedRate : benchmarkRate;
return maxRate < maxEmissionRate ? maxRate : maxEmissionRate;
} else if (utilizationRate < utilizationTarget) {
uint256 decreasedRate = emissionRate > adjustment ? emissionRate - adjustment : 0;
uint256 minRate = decreasedRate < benchmarkRate ? decreasedRate : benchmarkRate;
return minRate > minEmissionRate ? minRate : minEmissionRate;
}
return emissionRate;
}

Impact

The attacker earns extra RAAC tokens by repeatedly forcing the system to increase its emission rate. Even with a 5% cap per update, cumulative manipulation over multiple cycles results in significant over-minting. Furthermore, this leads to an unfair reward distribution, undermines trust, and can destabilize the protocol’s incentive structure

Tools Used

  • Manual code review

Recommendations

To mitigate this, you should enforce a cooldown period or deposit locking mechanism to prevent rapid withdrawal and redeposit cycles.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACMinter vulnerable to manipulation via flash borrowing to artificially inflate emission rates by temporarily spiking utilization

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACMinter vulnerable to manipulation via flash borrowing to artificially inflate emission rates by temporarily spiking utilization

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.