Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

[H] Incorrect Utilization Rate Calculation in `getUtilizationRate` Function in `RAACMinter`

Singularity

Summary

The getUtilizationRate function in the RAACMinter contract calculates the utilization rate using the getNormalizedDebt function from the LendingPool contract. However, getNormalizedDebt only returns the usageIndex, not the total RTokens minted, which represents the total scaled debt. This leads to incorrect utilization rate calculations and affects the emission rate of RAAC tokens.

Vulnerability Details

The current getUtilizationRate function in the RAACMinter contract is:

function getUtilizationRate() internal view returns (uint256) {
uint256 totalBorrowed = lendingPool.getNormalizedDebt();
uint256 totalDeposits = stabilityPool.getTotalDeposits();
if (totalDeposits == 0) return 0;
return (totalBorrowed * 100) / totalDeposits;
}

the getNormalizedDebt function in LendingPool contract is:

function getNormalizedDebt() external view returns (uint256) {
return reserve.usageIndex;
}

The getNormalizedDebt function in the LendingPool contract only returns the usageIndex, not the total RTokens minted, which represents the total scaled debt.

Links:

  1. https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/minters/RAACMinter/RAACMinter.sol#L242

  2. https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/pools/LendingPool/LendingPool.sol#L610

Impact

This issue can lead to incorrect utilization rate calculations, which affects the emission rate of RAAC tokens. This can result in incorrect token minting and distribution, potentially impacting the overall tokenomics of the protocol.

Tools Used

Manual code review.

Recommendations

Update the getUtilizationRate function to correctly calculate the total borrowed amount by using the total scaled debt. The corrected function should be:

function getUtilizationRate() internal view returns (uint256) {
// Get the total scaled debt from the lending pool
uint256 totalBorrowed = lendingPool.getTotalScaledDebt();
// Get the total RTokens deposited in the stability pool
uint256 totalDeposits = stabilityPool.getTotalDeposits();
if (totalDeposits == 0) return 0;
return (totalBorrowed * 100) / totalDeposits;
}

Additionally, ensure that the LendingPool contract has a function to return the total scaled debt:

function getTotalScaledDebt() external view returns (uint256) {
return reserve.totalUsage;
}

This ensures that the utilization rate is correctly calculated, leading to accurate emission rate calculations and token minting.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACMinter::getUtilizationRate incorrectly mixes stability pool deposits with lending pool debt index instead of using proper lending pool metrics

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACMinter::getUtilizationRate incorrectly mixes stability pool deposits with lending pool debt index instead of using proper lending pool metrics

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!