Static 1:1 Exchange Rate Between Rebasing rToken and deToken Causes Fund Lock in StabilityPool
Summary
The getExchangeRate() function in StabilityPool.sol called by withdraw() -> calculateRcrvUSDAmount() always returns 1e18, enforcing a static 1:1 exchange rate between rToken and deToken. This is problematic because rToken is a rebasing token whose value increases over time with accrued interest.
When a user deposits rToken to mint deToken, and later attempts to withdraw using these deTokens, they will receive the same nominal amount of rToken despite the underlying rToken balance having grown through rebasing. The excess rebased rToken remains trapped in the StabilityPool contract.
Vulnerability Details
User deposits 100 rToken when index = 1.0
User receives 100 deToken
After time passes, rToken index = 1.1 (10% increase)
User's 100 deToken is now worth 110 rToken
User withdraws with 100 deToken
Due to 1:1 rate, user only receives 100 rToken
10 rToken remains stuck in pool
Impact
All yields generated during the time rTokens are in StabilityPool will be stuck forever in it
Tools Used
Recommendations
Modify getExchangeRate() to account for the rebasing nature of rToken by tracking the changes in the liquidity index or add a function to transfer excess yields to treasury.
Lead Judging Commences
StabilityPool::getExchangeRate hardcodes 1:1 ratio instead of calculating real rate, enabling unlimited deToken minting against limited reserves
StabilityPool::getExchangeRate hardcodes 1:1 ratio instead of calculating real rate, enabling unlimited deToken minting against limited reserves
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.