Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

The total voting power of all veRAAC tokens is wrongly assigned

h2134

Summary

The total voting power of all veRAAC tokens is wrongly assigned.

Vulnerability Details

getTotalVotingPower() in **veRAACToken **returns the total voting power of all veRAAC tokens, and the value is the same as the total supply of veRAAC token.

veRAACToken::getTotalVotingPower()

function getTotalVotingPower() external view override returns (uint256) {

return totalSupply();

}

The problem is the voting power of each user decays over time while total supply of veRAAC token does not, and this may lead to unexpected results:

In Governance, there is quorum required for a proposal to pass, and the quorum is a portion of total voting power. As each user's voting power decays while the total voting power unchanged, it's possible that at some time point no proposal will met the quorum hence no proposal can be executed.

Governance::quorum()

function quorum() public view override returns (uint256) {

return (_veToken.getTotalVotingPower() * quorumNumerator) / QUORUM_DENOMINATOR;

}

In FeeCollector, the pending rewards for a user is calculated based on the user's voting power and total voting power, therefore it's possible that there are rewards stuck as the sum of all the user's voting power is less than the total voting power.

eeCollector::_calculatePendingRewards()

function _calculatePendingRewards(address user) internal view returns (uint256) {

uint256 userVotingPower = veRAACToken.getVotingPower(user);

if (userVotingPower == 0) return 0;

uint256 totalVotingPower = veRAACToken.getTotalVotingPower();

if (totalVotingPower == 0) return 0;

uint256 share = (totalDistributed * userVotingPower) / totalVotingPower;

return share > userRewards[user] ? share - userRewards[user] : 0;

}

Impact

Governance propsal can never meet quorum;
Rewards stuck in FeeCollector.

POC

The POC shows how rewards are stuck in FeeCollector.

Run forge test --mt testAudit_RewardsStuckInFeeCollector.

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.19;

import {Test, console, stdError} from "forge-std/Test.sol";

import "@openzeppelin/contracts/utils/math/SafeCast.sol";

import "@openzeppelin/contracts/proxy/transparent/TransparentUpgradeableProxy.sol";

import "../contracts/libraries/math/WadRayMath.sol";

import "../contracts/core/pools/LendingPool/LendingPool.sol";

import "../contracts/core/pools/StabilityPool/StabilityPool.sol";

import "../contracts/mocks/core/tokens/crvUSDToken.sol";

import "../contracts/core/tokens/RToken.sol";

import "../contracts/core/tokens/DebtToken.sol";

import "../contracts/core/tokens/DeToken.sol";

import "../contracts/core/tokens/RAACToken.sol";

import "../contracts/core/tokens/RAACNFT.sol";

import "../contracts/core/tokens/veRAACToken.sol";

import "../contracts/core/primitives/RAACHousePrices.sol";

import "../contracts/core/minters/RAACMinter/RAACMinter.sol";

import "../contracts/core/collectors/FeeCollector.sol";

import "../contracts/core/collectors/Treasury.sol";

import "../contracts/core/governance/proposals/Governance.sol";

import "../contracts/core/governance/proposals/TimelockController.sol";

contract Audit is Test {

using WadRayMath for uint256;

using SafeCast for uint256;

address owner = makeAddr("Owner");

address repairFund = makeAddr("RepairFund");

LendingPool lendingPool;

StabilityPool stabilityPool;

RAACHousePrices raacHousePrices;

crvUSDToken crvUSD;

RToken rToken;

DebtToken debtToken;

DEToken deToken;

RAACToken raacToken;

RAACNFT raacNft;

veRAACToken veRaacToken;

RAACMinter raacMinter;

FeeCollector feeCollector;

Treasury treasury;

Governance governance;

TimelockController timelockController;

function setUp() public {

vm.warp(1 days);

raacHousePrices = new RAACHousePrices(owner);

// Deploy tokens

raacToken = new RAACToken(owner, 100, 50);

veRaacToken = new veRAACToken(address(raacToken));

veRaacToken.transferOwnership(owner);

crvUSD = new crvUSDToken(owner);

rToken = new RToken("RToken", "RToken", owner, address(crvUSD));

debtToken = new DebtToken("DebtToken", "DT", owner);

raacNft = new RAACNFT(address(crvUSD), address(raacHousePrices), owner);

deToken = new DEToken("DEToken", "DEToken", owner, address(rToken));

// Deploy Treasury and FeeCollector

treasury = new Treasury(owner);

feeCollector = new FeeCollector(

address(raacToken),

address(veRaacToken),

address(treasury),

repairFund,

owner

);

// Deploy LendingPool

lendingPool = new LendingPool(

address(crvUSD),

address(rToken),

address(debtToken),

address(raacNft),

address(raacHousePrices),

0.1e27

);

lendingPool.transferOwnership(owner);

// Deploy stabilityPool Proxy

bytes memory data = abi.encodeWithSelector(

StabilityPool.initialize.selector,

address(rToken),

address(deToken),

address(raacToken),

address(owner),

address(crvUSD),

address(lendingPool)

);

address stabilityPoolProxy = address(

new TransparentUpgradeableProxy(

address(new StabilityPool(owner)),

owner,

data

)

);

stabilityPool = StabilityPool(stabilityPoolProxy);

// RAACMinter

raacMinter = new RAACMinter(

address(raacToken),

address(stabilityPool),

address(lendingPool),

owner

);

// Governance

address[] memory proposers;

address[] memory executors;

timelockController = new TimelockController(2 days, proposers, executors, owner);

governance = new Governance(address(veRaacToken), address(timelockController));

// Initialization

vm.startPrank(owner);

raacHousePrices.setOracle(owner);

rToken.setReservePool(address(lendingPool));

debtToken.setReservePool(address(lendingPool));

deToken.setStabilityPool(address(stabilityPool));

stabilityPool.setRAACMinter(address(raacMinter));

lendingPool.setStabilityPool(address(stabilityPool));

raacToken.setMinter(address(raacMinter));

raacToken.setFeeCollector(address(feeCollector));

raacToken.manageWhitelist(address(feeCollector), true);

raacToken.manageWhitelist(address(raacMinter), true);

raacToken.manageWhitelist(address(stabilityPool), true);

raacToken.manageWhitelist(address(veRaacToken), true);

timelockController.grantRole(keccak256("PROPOSER_ROLE"), address(governance));

timelockController.grantRole(keccak256("EXECUTOR_ROLE"), address(governance));

timelockController.grantRole(keccak256("CANCELLER_ROLE"), address(governance));

timelockController.grantRole(keccak256("EMERGENCY_ROLE"), address(governance));

vm.stopPrank();

vm.label(address(crvUSD), "crvUSD");

vm.label(address(rToken), "RToken");

vm.label(address(debtToken), "DebtToken");

vm.label(address(deToken), "DEToken");

vm.label(address(raacToken), "RAACToken");

vm.label(address(raacNft), "RAAC NFT");

vm.label(address(lendingPool), "LendingPool");

vm.label(address(stabilityPool), "StabilityPool");

vm.label(address(raacMinter), "RAACMinter");

vm.label(address(veRaacToken), "veRAAC");

vm.label(address(feeCollector), "FeeCollector");

vm.label(address(treasury), "Treasury");

vm.label(repairFund, "RepairFund");

}

function testAudit_RewardsStuckInFeeCollector() public {

address alice = makeAddr("Alice");

deal(address(raacToken), alice, 100e18);

vm.startPrank(alice);

raacToken.approve(address(veRaacToken), 100e18);

veRaacToken.lock(100e18, 365 days);

vm.stopPrank();

address bob = makeAddr("Bob");

deal(address(raacToken), bob, 100e18);

vm.startPrank(bob);

raacToken.approve(address(veRaacToken), 100e18);

veRaacToken.lock(100e18, 365 days);

vm.stopPrank();

vm.warp(block.timestamp + 180 days);

uint256 distributeAmount = 1000e18;

address feeDistributor = makeAddr("FeeDistributor");

vm.startPrank(owner);

feeCollector.grantRole(feeCollector.DISTRIBUTOR_ROLE(), feeDistributor);

raacToken.manageWhitelist(feeDistributor, true);

vm.stopPrank();

// Distribute 1000 RAAC tokens

deal(address(raacToken), feeDistributor, distributeAmount);

vm.startPrank(feeDistributor);

raacToken.approve(address(feeCollector), distributeAmount);

feeCollector.collectFee(distributeAmount, 0);

feeCollector.distributeCollectedFees();

vm.stopPrank();

// Alice and Bob claim

feeCollector.claimRewards(alice);

feeCollector.claimRewards(bob);

// After all the user claimed, there still rewards stuck in fee collector

assertEq(raacToken.balanceOf(address(feeCollector)), 394520547945148416000);

}

Tools Used

Manual Review

Recommendations

The total voting power of all veRAAC tokens should also decay over time.

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

veRAACToken::getTotalVotingPower returns non-decaying totalSupply while individual voting powers decay, causing impossible governance quorums and stuck rewards in FeeCollector

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

veRAACToken::getTotalVotingPower returns non-decaying totalSupply while individual voting powers decay, causing impossible governance quorums and stuck rewards in FeeCollector

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.