Precision Loss in Utilization Rate Calculation Leads to Zero Rates
Summary
The RAACMinter's getUtilizationRate() uses basic integer arithmetic without proper decimal scaling, causing severe precision loss and potentially returning 0% utilization when it should be non-zero.
Vulnerability Details
The current implementation performs integer division after a simple multiplication by 100:
When dealing with large numbers in different decimal precisions (18 decimals), this calculation fails to maintain precision:
totalBorrowed: 1e18 (1 crvUSD)
totalDeposits: 100e18 (100 rToken)
Current result: (1e18 * 100) / 100e18 = 0
Expected result: 1% = 1e16 in WAD precision
Impact
Zero utilization rate reported when actual utilization exists
Incorrect emission rate calculations
Wrong reward distributions
Protocol economics affected by incorrect utilization metrics
Potential manipulation of rewards through precision loss
Tools Used
Manual review
Recommendations
Use proper decimal math with WAD precision
Lead Judging Commences
RAACMinter::getUtilizationRate incorrectly mixes stability pool deposits with lending pool debt index instead of using proper lending pool metrics
RAACMinter::getUtilizationRate incorrectly mixes stability pool deposits with lending pool debt index instead of using proper lending pool metrics
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.