Missing actual transfer of RAAC tokens to the managers in the StabilityPool contract
Summary
In StabilityPoolL326, the comment implies that the alloocation of RAAC for different managers logic will be implemented in the depositRAACFromPool function however, this not designed that way.
Vulnerability Details
In the depositRAACFromPool function, the logic todo comment attached within the function expected to disperse the RAAC token allocations to the managers. This is not integrated into the function. see:
It is important to note that there is no current liquidityPool address that is permissioned to invoke the depositRAACFroomPool function. This is not so much an issue since only owner can easily update a smart contract address to serve as the liquidity pool. This liquidity pool only provides RAAC tokens into the StabilityPool contract without actually sending to the managers.
The protocol documentation states:
Manage allocation of funds across different markets and managers
https://docs.raac.io/core/pools/StabilityPool/StabilityPool
Impact
Inconsistency between documentation and code implementation.
Tools Used
Manual review.
Recommendations
Remove comment
Lead Judging Commences
StabilityPool::calculateRaacRewards uses contract balance for reward calculation, incorrectly including tokens meant for manager allocation - Manager allocation not implemented
StabilityPool::calculateRaacRewards uses contract balance for reward calculation, incorrectly including tokens meant for manager allocation - Manager allocation not implemented
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.