Core Contracts

Summary

The Treasury contract tracks the total value of deposited tokens using _totalValue, which is computed as the arithmetic sum of raw token amounts across all deposited assets. This approach fundamentally misrepresents the treasury’s economic value because it ignore: Token decimal differences (e.g., USDC uses 6 decimals vs. RAAC’s 18 decimals).

As a result, the _totalValue metric is mathematically and economically meaningless, creating risks of financial misinterpretation by users, integrators, and the protocol itself.

Vulnerability Details

Treasury Contract – deposit and withdraw Functions:

Root Cause

1. Decimal Ignorance:

   • Tokens with different decimal conventions (e.g., 6 vs. 18 decimals) are summed directly. For example:

     • 1 USDC (6 decimals) = 1,000,000 raw units

     • 1 RAAC (18 decimals) = 1,000,000,000,000,000,000 raw units

   • Adding these raw units (1e6 + 1e18) produces 1.000000000001e18, which incorrectly implies RAAC dominates the treasury’s value.

Example Scenario

• Deposit 1: 1000 USDC (1e6 decimals):

  • Raw amount: 1000 * 1e6 = 1,000,000

  • Economic value: $1000

• Deposit 2: 1 RAAC (1e18 decimals):

  • Raw amount: 1 * 1e18 = 1,000,000,000,000,000,000

  • Economic value: $0.01 (if RAAC price = $0.01).

• _totalValue: 1,000,000 + 1e18 = 1.000000000001e18

• Misleading Interpretation: The treasury appears to hold 1e18 units of value, but its real economic value is $1000.01.

Impact

Protocols or users relying on _totalValue for accounting, risk management, or collateralization will operate on incorrect data.

Tools Used

Manual Review

Recommendations

Remove the _totalValue metric entirely if it does not serve a critical purpose. Track token balances individually via _balances[token] instead.