Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Re-org vulnerability leading to incorrect emission calculations and potential double minting.

pavankv

Summary

Function tick is used to calculate the emission rate if interval passed adn raacToken will get minted based on the block passed since last-update this may lead to double minting.

Vulnerability Details

Function tick() we can see below code snippet

Interval time is determined by blockTimestamp and delta block number is used to mint the raacToken. What if in the current block.number re-org happens.

Take a scenario

Calls tick() at at block 100, minting tokens.
tick() updates lastUpdateBlock = 100.
10 blocks pass, emission rate = 100 RAAC per block.
**Minted **10 * 100 = 1000 RAAC.
Blockchain re-orgs back to block 98, invalidating block 100.
Contract still believes lastUpdateBlock = 100, while the chain is at 98.
Waits until the chain reaches 100 again and calls tick().
tick() recalculates from lastUpdateBlock = 100, even though it was already executed.
Another 1000 RAAC is minted, even though the total blocks haven't increased.

/**

* @dev Triggers the minting process and updates the emission rate if the interval has passed

function tick() external nonReentrant whenNotPaused {

if (emissionUpdateInterval == 0 || block.timestamp >= lastEmissionUpdateTimestamp + emissionUpdateInterval) {

updateEmissionRate();

}

uint256 currentBlock = block.number;

uint256 blocksSinceLastUpdate = currentBlock - lastUpdateBlock;

if (blocksSinceLastUpdate > 0) {

uint256 amountToMint = emissionRate * blocksSinceLastUpdate;

if (amountToMint > 0) {

excessTokens += amountToMint;

lastUpdateBlock = currentBlock;

raacToken.mint(address(stabilityPool), amountToMint);

emit RAACMinted(amountToMint);

}

POC

Impact

Miniting will be taken two times

Tools Used

Manual View

Recommendations

Use BlockTimestamp instead of block.number.

Use check points that current block number is to be higer than the stored block number

require(block.number > lastUpdateBlock, "Possible re-org detected");

Code Snippet

https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/minters/RAACMinter/RAACMinter.sol#L256

Updates

Lead Judging Commences

inallhonesty Lead Judge

9 months ago

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!