Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

`calculateRaacRewards()` does not take into account scalling factor if `rToken` and `deToken` have different decimals

056Security

Summary

In the stability pool protocol, rewards are calculated based on a user's total deposit of rToken and the total issued deTokens.

The problem arises if the tokens have different decimal places.

Vulnerability Details

In the calculateRaacRewards function, if the decimals of rToken and deToken differ, it could result in highly inflated or deflated rewards.

function calculateRaacRewards(address user) public view returns (uint256) {
uint256 userDeposit = userDeposits[user];
uint256 totalDeposits = deToken.totalSupply();
uint256 totalRewards = raacToken.balanceOf(address(this));
if (totalDeposits < 1e6) return 0;
return (totalRewards * userDeposit) / totalDeposits; //@audit userDeposit and totalDepoists may have diff decimals
}
// Allow to make rToken / deToken decimals flexible
uint8 public rTokenDecimals;
uint8 public deTokenDecimals;

Impact

In deposit/withdraw operations, the scaling factor is always checked. However, in reward calculations, it is omitted, leading to major inconsistencies when distributing rewards.

Tools Used

  • Manual review

Recommendations

  • Calculate the scaling factor for both tokens before computing Raac rewards.

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.