Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

calculateNewEmissionRate() Uses Only Utilization Rate for Adjustments

nitinaimshigh

Summary

The RAACMinter.sol contract has a misalignment in reward allocation because its emission calculations only consider staked tokens (deposits in stabilityPool) and ignore unstaked RAAC tokens (held in the treasury or unclaimed rewards).

/**

* @dev Calculates the new emission rate based on the system utilization and benchmark rate

* @return The new emission rate in RAAC per block

function calculateNewEmissionRate() internal view returns (uint256) {

uint256 utilizationRate = getUtilizationRate();

uint256 adjustment = (emissionRate * adjustmentFactor) / 100;

if (utilizationRate > utilizationTarget) {

uint256 increasedRate = emissionRate + adjustment;

uint256 maxRate = increasedRate > benchmarkRate ? increasedRate : benchmarkRate;

return maxRate < maxEmissionRate ? maxRate : maxEmissionRate;

} else if (utilizationRate < utilizationTarget) {

uint256 decreasedRate = emissionRate > adjustment ? emissionRate - adjustment : 0;

uint256 minRate = decreasedRate < benchmarkRate ? decreasedRate : benchmarkRate;

return minRate > minEmissionRate ? minRate : minEmissionRate;

}

return emissionRate;

}

Vulnerability Details

The function only considers totalDeposits (staked tokens) when adjusting emissions.
Unstaked RAAC tokens (held in treasury, excess emissions, unclaimed rewards) are ignored.
This causes misaligned emissions, where unstaked RAAC is not accounted for in supply calculations.

The vulnerability is real and similar to Kamino Lend’s issue.
🔹 Emissions are misaligned due to ignoring unstaked RAAC in calculations.
🔹 Attackers can manipulate staking to inflate or deflate emissions.
🔹 Fixing the utilization rate calculation prevents unfair reward distribution.

Impact

This vulnerability can lead to incorrect RAAC token emissions, affecting:

Stakers (earning rewards unfairly or losing rewards)
RAAC token supply (inflation or deflation issues)
Lending and stability pools (incorrect liquidity incentives)

Here’s a rough risk assessment:

Scenario	Potential Loss
Emission Farming	Millions of RAAC tokens over-minted, inflating supply and hurting price stability.
Liquidity Collapse	Liquidity providers exit, causing unstable lending rates and reduced protocol usage.
Governance Exploitation	Attackers manipulate staking to control emissions, affecting RAAC governance votes.

Worst-case scenario:
If emissions are massively overestimated, attackers could mint billions of RAAC, crashing the price and causing liquidity loss across DeFi integrations.

Tools Used

Manual Review

Recommendations

The misalignment in emissions must be corrected to ensure fair reward distribution.
The fix should include unstaked RAAC (treasury, excess tokens) in calculations.

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.