`excessTokens` updated even when not needed
Summary
The tick() function mints RAAC tokens directly to the StabilityPool by calling:
at the same time as it increments excessTokens by the same amount. This creates a discrepancy
Vulnerability Details
The root cause is a logic error in the minting process. The contract erroneously directs minted tokens to the StabilityPool address while still tracking those tokens as if they were available in the RAACMinter’s balance.
Imagine tick() is called and determines that 100 tokens should be minted. It does the following:
Increments excessTokens by 100.
Calls raacToken.mint(address(stabilityPool), 100), sending the 100 tokens to StabilityPool. Later, mintRewards(100) is called. The function checks that excessTokens (which is now 100) is sufficient and attempts to transfer 100 tokens from the RAACMinter’s balance to a recipient. However, since the RAACMinter contract’s balance remains 0 (tokens were minted to StabilityPool), the transfer will revert, blocking reward distribution.
Impact
Because the RAACMinter contract does not hold the minted tokens (they go straight to StabilityPool), any later call to mintRewards() that depends on excessTokens and the contract’s balance will fail. For example, if tick() mints 100 tokens to StabilityPool and increases excessTokens by 100, then mintRewards(100) will try to transfer 100 tokens from the RAACMinter’s balance—which is zero—causing a failed transfer.
Recommendations
Remove the updation of excessTokens in tick function , this will make sure that excessTokens represent excess of tokens present.
Lead Judging Commences
RAACMinter wrong excessTokens accounting in tick function
RAACMinter wrong excessTokens accounting in tick function
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.