Computation of `getUtilizationRate()` in contract `RaacMinter` is `WRONG`
Summary
The computation of Utilization Rate in raacMinter contract is wrong.
The issue is that, getNormalizedDebt() returns usageIndex from lendingPool contract which is directly assigned to variable totalBorrowed
Vulnerability Details
The function getUtilizationRate() is supposed to find out the current utilization rate of the system i.e. getUtilizationRate()
Notice that, in order to calculate totalBorrowed, the contract makes a call to getNormalizedDebt() which belongs to lendingPool contract.
However, this function returns usageIndexinstead of total borrowed i.e. getNormalizedDebt()
This usageIndex MUST be multiplied with correct scaled borrowing to arrive at the final figure.
Impact
Incorrect Computation of Utilization rate would lead to assigning a wrong emission rate.
Tools Used
Manual
Recommendations
Consider computing the totalBorrowing by multiplying the usageIndex with respective scaledBalance to arrive at correct utilization rate.
Lead Judging Commences
RAACMinter::getUtilizationRate incorrectly mixes stability pool deposits with lending pool debt index instead of using proper lending pool metrics
RAACMinter::getUtilizationRate incorrectly mixes stability pool deposits with lending pool debt index instead of using proper lending pool metrics
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.