Incorrect utilization rate calculation uses interest index instead of total borrowed amount, leading to extreme emission rates
Summary
The RAACMinter's utilization rate calculation incorrectly uses the lending pool's usage index (normalized debt) instead of the actual total borrowed amount, resulting in extremely high utilization rates and incorrect emission rate adjustments.
Vulnerability Details
In RAACMinter, the getUtilizationRate function uses the wrong value for total borrowed amount:
Because the getNormalizedDebt on lending pool retrieves the usage index not the actual total borrowed:
Sample Scenario
Assume the ff:
usageIndex = 1e27 (RAY)
totalDeposits = 1000e18 tokens
Calculation:
utilizationRate = (1e27 100) / (1000e18)
= 1e29 / 1e21
= 100,000,000
Expected:
utilizationRate = (actualBorrowed 100) / totalDeposits
= value between 0-100
Impact
Protocol's emission rate mechanism breaks due to extremely high utilization rate calculations, leading to maximum emission rates and incorrect token distribution.
Tools Used
Manual Review
Recommendations
Ensure that the totalBorrowed amount really retrieves the total borrowed in the lending pool.
Lead Judging Commences
RAACMinter::getUtilizationRate incorrectly mixes stability pool deposits with lending pool debt index instead of using proper lending pool metrics
RAACMinter::getUtilizationRate incorrectly mixes stability pool deposits with lending pool debt index instead of using proper lending pool metrics
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.