Missing Validation for Connected Protocol States
Summary
The tick() and mintRewards functions don’t check the paused states of StabilityPool and LendingPool, risking minting based on stale data if either is paused. This medium-impact, medium-likelihood issue could lock excess RAAC in an inaccessible pool, diluting value or causing losses.
Vulnerability Details
No state validation exists for dependent contracts. Example:
StabilityPool is paused (e.g., emergency).
tick() mints 500 RAAC/day ($500/day at $1/RAAC) based on stale 80% utilization (real 20%).
With 400/day) accumulates in paused pool.
$12K excess (30 days) becomes locked or lost.
Impact
Excess RAAC (e.g., $12K over 30 days) could be trapped or diluted, a medium-impact issue affecting economics. The medium likelihood reflects plausible pause events in dependent pools, posing an operational risk.
Tools Used
Manual Code Review: To verify absence of pause validation in tick().
Recommendations
Validate states:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.