Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

`tick()` should be called before UPDATING `setStabilityPool()` in `RaacMinter` contract

sunless_

Summary

In RaacMinter contract, when updating the StabilityPool via setStabilityPool() to a new address. We do NOT account for raac rewards to be minted to the stabilityPool via tick()

Vulnerability Details

Raac rewards are sent to the stability pool via tick() function, this function is called from the stabilityPool contract whenever people deposit or withdraw from the stability pool.

If the owner were to update the stabilityPool without calling tick() then the old stability pool would lose on raac rewards as all the rewards would be SENT to the new Stability Pool.
setStabilityPool()

function setStabilityPool(address _stabilityPool) external onlyRole(UPDATER_ROLE) {
if (_stabilityPool == address(0)) revert ZeroAddress();
stabilityPool = IStabilityPool(_stabilityPool);
emit ParameterUpdated("stabilityPool", uint256(uint160(_stabilityPool)));
}

Impact

StabilityPool would lose RAAC Rewards

Tools Used

Manual

Recommendations

Consider adding this call before updating the pool via function setStabilityPool

function setStabilityPool(address _stabilityPool) external onlyRole(UPDATER_ROLE) {
if (_stabilityPool == address(0)) revert ZeroAddress();
tick(); // add this
stabilityPool = IStabilityPool(_stabilityPool);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.