Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

An user could grief users of the StabilityPool by adjusting emission rate of rewards to be the minimum amount

jimpixjed

Summary

In the RAACMinter contract when we call getUtilizationRate function we get the total rTokens that are in the StabilityPool by callin the stabilityPool.getTotalDeposits() function. If user transfers rTokens directly to the StabilityPool insted of depositin them this value could be high enoug to make the following calculation (totalBorrowed * 100) / totalDeposits to return 0. This would mean that eventually we would have the lowset possible emision rate for rewards when we call the calculateNewEmissionRate function.

function getUtilizationRate() internal view returns (uint256) {

uint256 totalBorrowed = lendingPool.getNormalizedDebt();

//@Q GetTotalDeposits uses balanceOf, if we manipulate this to make this function return 0 can we manipulate the rewards?

//@A yes we can always get the lowest emission rate, how does that help us?

//@Audit-low user can grief users to recieve lowest amount of rewards by sending RTokens directly to the StabilityPool address

uint256 totalDeposits = stabilityPool.getTotalDeposits();

if (totalDeposits == 0) return 0;

return (totalBorrowed * 100) / totalDeposits;

}

Vulnerability Details

An User could directly tansfer RTokens to the StabilityPool in order to make the emission rate for rewards in the StabilityPool become the lowest possible emission rate. This would happen because in that scenario we would always get that the utilization of the StabilityPool is 0 and when that is true we will reduce the emission rate each time the calculation of it is called, eventually we would always get the lowest possible emission rate.

Impact

User of the StabilityPool receive rewards with the lowest possible emission rate.

Tools Used

Manual Reviewd

Recommendations

Add a storage varaible to the StabilityPool that will be used to track the total deposited amount of rTokens in it. Then use this value as a return for the getTotalDeposits function in order to avoid including rTokens that were sent directly to the StabilityPool when calculating the utilization rate of the pool.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

StabilityPool vulnerable to griefing attack where attacker can directly transfer rTokens to artificially deflate utilization rate and force minimum emission rewards

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

StabilityPool vulnerable to griefing attack where attacker can directly transfer rTokens to artificially deflate utilization rate and force minimum emission rewards

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!