Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Protocol Rewards Bypass Minting Process Through Direct Transfers

waydou

Summary

The StabilityPool contract directly transfers RAAC rewards from its balance instead of minting new rewards through the RAACMinter. This can lead to failed withdrawals if the pool's RAAC balance is insufficient to pay all accrued rewards.

Vulnerability Details

During withdrawals, the StabilityPool transfers RAAC rewards directly from its balance:

function withdraw(uint256 deCRVUSDAmount) external nonReentrant whenNotPaused validAmount(deCRVUSDAmount) {
_update();
// ...
uint256 raacRewards = calculateRaacRewards(msg.sender);
// ...
if (raacRewards > 0) {
raacToken.safeTransfer(msg.sender, raacRewards);
}
}

this means rewards are sent from the stability's pool balance, if the stability pool doens't have enough raac Tokens, no user will be able to withdraw; another point is that the mintRewards is only available for the stability pool but the stability pool doesn't implement this function

Impact

Users won't be able to withdraw their tokens if there aren't enough rewards in the stability pool.

Tools Used

Manual review

Recommendations

Modify withdraw to mint rewards through RAACMinter instead of transferring from pool balance:

function withdraw(uint256 deCRVUSDAmount) external {
_update();
// ...
uint256 raacRewards = calculateRaacRewards(msg.sender);
if (raacRewards > 0) {
raacMinter.mintRewards(msg.sender, raacRewards); // Mint new rewards
}
deToken.burn(msg.sender, deCRVUSDAmount);
rToken.safeTransfer(msg.sender, rcrvUSDAmount);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Too generic

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.