Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Flipped Scaling in `DebtToken.totalSupply()` Function Breaks Protocol's Interest Rate Mechanism

elhajin

Vulnerability Details

The DebtToken.totalSupply() incorrectly divides by the interest index instead of multiplying. This causes the protocol to report decreasing totalSupply debt over time, leading to artificially low utilization rates thus low interest rates, completely breaking the protocol's interest rate mechanism.

The core issue starts in DebtToken.totalSupply():

function totalSupply() public view override(ERC20, IERC20) returns (uint256) {

uint256 scaledSupply = super.totalSupply();

// @audit-issue: Using rayDiv instead of rayMul

return scaledSupply.rayDiv(ILendingPool(_reservePool).getNormalizedDebt());

}

here the totalSupply() should use rayMul instead of rayDiv , because this suppose to be the unscaled totalSupply.

Here's how this error propagates through the protocol:

Every borrow/repay/liquidation operation calls DebtToken.mint() or DebtToken.burn():

// LendingPool.sol

function borrow(uint256 amount) {

// ... other checks ...

(bool success, uint256 newTotalSupply,) = debtToken.mint(...);

reserve.totalUsage = newTotalSupply; // Updates with incorrect total

}

These functions return the flawed totalSupply() to the LendingPool, which updates its totalUsage to that value :

// In borrow():

reserve.totalUsage = newTotalSupply;

// In repay():

reserve.totalUsage = newTotalSupply;

// In liquidate():

reserve.totalUsage = newTotalSupply;

This incorrect totalUsage is then used to calculate utilization rates which will be lower than the actual utilization , overtime UR will be decreasing instead of increasing :

// ReserveLibrary.sol

uint256 utilizationRate = calculateUtilizationRate(

reserve.totalLiquidity,

reserve.totalUsage // Using the flawed totalSupply

);

The utilization rate used to calculate the borrow and liquidity rates, which will be lower than it should be in this case.

poc :

Foundry Envirement Setup

i'm using foundry for test , to integrate foundry :
run :

npm install --save-dev @nomicfoundation/hardhat-foundry
add this to hardhat.config.cjs :

require("@nomicfoundation/hardhat-foundry");
run :

npx hardhat init-foundry
comment the test/unit/libraries/ReserveLibraryMock.sol as it's causing compiling errors
inside test folder , create new dir foundry and inside it , create new file baseTest.sol , and copy/paste this there :

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.19;

import "forge-std/Test.sol";

import "forge-std/console2.sol";

import "../../contracts/core/tokens/DebtToken.sol";

import "../../contracts/core/tokens/RAACToken.sol";

import "../../contracts/core/tokens/veRAACToken.sol";

import "../../contracts/core/tokens/RToken.sol";

import "../../contracts/core/tokens/DEToken.sol";

import "../../contracts/core/pools/LendingPool/LendingPool.sol";

import "../../contracts/core/pools/StabilityPool/StabilityPool.sol";

import "../../contracts/core/tokens/RAACNFT.sol";

import "../../contracts/core/primitives/RAACHousePrices.sol";

import "../../contracts/mocks/core/tokens/crvUSDToken.sol";

import "../../contracts/core/collectors/FeeCollector.sol";

import "../../contracts/core/collectors/Treasury.sol";

import "../../contracts/core/minters/RAACMinter/RAACMinter.sol";

import "../../contracts/core/minters/RAACReleaseOrchestrator/RAACReleaseOrchestrator.sol";

contract baseTest is Test {

// Protocol contracts

crvUSDToken public crvUSD;

RAACToken public raacToken;

veRAACToken public veToken;

RAACHousePrices public housePrices;

RAACNFT public raacNFT;

RToken public rToken;

DebtToken public debtToken;

DEToken public deToken;

LendingPool public lendingPool;

StabilityPool public stabilityPool;

Treasury public treasury;

Treasury public repairFund;

FeeCollector public feeCollector;

RAACMinter public minter;

RAACReleaseOrchestrator public releaseOrchestrator;

// Test accounts

address public admin = makeAddr("admin");

address public user1 = makeAddr("user1");

address public user2 = makeAddr("user2");

address public user3 = makeAddr("user3");

// Constants

uint256 public constant INITIAL_MINT = 1000 ether;

uint256 public constant HOUSE_PRICE = 100 ether;

uint256 public constant INITIAL_PRIME_RATE = 0.1e27; // 10% in RAY

uint256 public constant TAX_RATE = 200; // 2% in basis points

uint256 public constant BURN_RATE = 50; // 0.5% in basis points

function setUp() public virtual {

vm.startPrank(admin);

// Deploy base tokens

crvUSD = new crvUSDToken(admin);

crvUSD.setMinter(admin);

raacToken = new RAACToken(admin, TAX_RATE, BURN_RATE);

veToken = new veRAACToken(address(raacToken));

releaseOrchestrator = new RAACReleaseOrchestrator(address(raacToken));

// Deploy mock oracle

housePrices = new RAACHousePrices(admin);

housePrices.setOracle(admin);

// Deploy NFT

raacNFT = new RAACNFT(address(crvUSD), address(housePrices), admin);

// Deploy pool tokens

rToken = new RToken("RToken", "RT", admin, address(crvUSD));

debtToken = new DebtToken("DebtToken", "DT", admin);

deToken = new DEToken("DEToken", "DEToken", admin, address(rToken));

// Deploy core components

treasury = new Treasury(admin);

repairFund = new Treasury(admin);

feeCollector =

new FeeCollector(address(raacToken), address(veToken), address(treasury), address(repairFund), admin);

lendingPool = new LendingPool(

address(crvUSD),

address(rToken),

address(debtToken),

address(raacNFT),

address(housePrices),

INITIAL_PRIME_RATE

);

stabilityPool = new StabilityPool(admin);

minter = new RAACMinter(address(raacToken), address(stabilityPool), address(lendingPool), address(treasury));

// Initialize contracts

raacToken.setFeeCollector(address(feeCollector));

raacToken.manageWhitelist(address(feeCollector), true);

raacToken.manageWhitelist(address(veToken), true);

raacToken.manageWhitelist(admin, true);

raacToken.setMinter(admin);

raacToken.mint(user2, INITIAL_MINT);

raacToken.mint(user3, INITIAL_MINT);

raacToken.setMinter(address(minter));

bytes32 FEE_MANAGER_ROLE = feeCollector.FEE_MANAGER_ROLE();

bytes32 EMERGENCY_ROLE = feeCollector.EMERGENCY_ROLE();

bytes32 DISTRIBUTOR_ROLE = feeCollector.DISTRIBUTOR_ROLE();

feeCollector.grantRole(FEE_MANAGER_ROLE, admin);

feeCollector.grantRole(EMERGENCY_ROLE, admin);

feeCollector.grantRole(DISTRIBUTOR_ROLE, admin);

rToken.setReservePool(address(lendingPool));

debtToken.setReservePool(address(lendingPool));

deToken.setStabilityPool(address(stabilityPool));

raacToken.transferOwnership(address(minter));

rToken.transferOwnership(address(lendingPool));

debtToken.transferOwnership(address(lendingPool));

stabilityPool.initialize(

address(rToken),

address(deToken),

address(raacToken),

address(minter),

address(crvUSD),

address(lendingPool)

);

lendingPool.setStabilityPool(address(stabilityPool));

// Setup test environment

crvUSD.mint(user1, INITIAL_MINT);

crvUSD.mint(user2, INITIAL_MINT);

crvUSD.mint(user3, INITIAL_MINT);

housePrices.setHousePrice(1, HOUSE_PRICE);

vm.stopPrank();

}

// Helper functions

function mintCrvUSD(address to, uint256 amount) public {

vm.prank(admin);

crvUSD.mint(to, amount);

}

function setHousePrice(uint256 tokenId, uint256 price) public {

vm.prank(admin);

housePrices.setHousePrice(tokenId, price);

}

function calculateInterest(uint256 principal, uint256 rate, uint256 time) public pure returns (uint256) {

return principal * rate * time / 365 days / 1e27;

}

function warpAndAccrue(uint256 time) public {

vm.warp(block.timestamp + time);

lendingPool.updateState();

}

now create a pocs.sol inside test/foundry , and copy/paste this there :

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.19;

import "./baseTest.sol";

import {ERC4626} from "@openzeppelin/contracts/token/ERC20/extensions/ERC4626.sol";

import {ERC20} from "@openzeppelin/contracts/token/ERC20/ERC20.sol";

contract MockCurveVault is ERC4626 {

constructor(address _asset) ERC4626(ERC20(_asset)) ERC20("Mock Curve Vault", "mcrvUSD") {}

}

contract pocs is baseTest {

//poc here

}

A POC demonstrates how the totalsupply decreases instead of increasing over time , :

function test_poc04() public {

// deposit some tokens to the pool :

vm.startPrank(user1);

crvUSD.approve(address(lendingPool), type(uint256).max);

lendingPool.deposit(100 ether);

vm.stopPrank();

// deposit an nft , and borrow some tokens :

uint256 tokenId = 1;

vm.startPrank(user2);

crvUSD.approve(address(raacNFT), type(uint256).max);

raacNFT.mint(tokenId, 100 ether);

raacNFT.approve(address(lendingPool), tokenId);

lendingPool.depositNFT(tokenId);

lendingPool.borrow(100 ether);

vm.stopPrank();

// skip some time to accrue interest :

vm.warp(block.timestamp + 365 days);

lendingPool.updateState();

// now the totalSupply should increase , but it decrease instead (scaledBalance remain the same)

uint256 totalSupply = lendingPool.debtToken().totalSupply();

uint256 scaledTotalSupply = lendingPool.debtToken().scaledTotalSupply();

console.log("Total Supply :", totalSupply);

console.log("Scaled Total Supply:", scaledTotalSupply);

}

logs :

Ran 1 test for test/foundry/pocs.sol:pocs

[PASS] test_poc04() (gas: 685009)

Logs:

Total Supply : 67032005367708487429

Scaled Total Supply: 100000000000000000000

Impact

As interest accrues and index increases, reported debt decreases
Lower reported debt → Lower utilization rate → Lower interest rates
Creates a negative feedback loop where higher interest actually reduces rates
this is completely broke the interest rate module.

Tools Used

Manual code review
Foundry test framework

Recommendations

Fix the scaling direction in totalSupply():

function totalSupply() public view override(ERC20, IERC20) returns (uint256) {

uint256 scaledSupply = super.totalSupply();

- return scaledSupply.rayDiv(ILendingPool(_reservePool).getNormalizedDebt());

+ return scaledSupply.rayMul(ILendingPool(_reservePool).getNormalizedDebt());

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago

Submission Judgement Published

Validated

Assigned finding tags:

DebtToken::totalSupply incorrectly uses rayDiv instead of rayMul, severely under-reporting total debt and causing lending protocol accounting errors

inallhonesty Lead Judge 6 months ago

Submission Judgement Published

Validated

Assigned finding tags:

DebtToken::totalSupply incorrectly uses rayDiv instead of rayMul, severely under-reporting total debt and causing lending protocol accounting errors

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.