Core Contracts

Summary

The RAACMinter.getUtilizationRate function incorrectly calculates protocol utilization rate by using an interest rate index instead of actual borrowed amounts, leading to distorted RAAC token emissions. This critical miscalculation occurs when combining the LendingPool's interest accumulator (usageIndex) with StabilityPool's real deposit balances, creating artificial utilization metrics that corrupt emission rate adjustments. The error propagates through reward distribution mechanisms, threatening the protocol's economic stability by enabling improper inflation/deflation scenarios and misaligned governance incentives.

Vulnerability Details

The vulnerability stems from an incorrect utilization rate calculation (RAACMinter.sol#L242) in the RAACMinter contract's emission control mechanism. The flawed implementation occurs in:

1. RAACMinter.getUtilizationRate() which uses:

   • lendingPool.getNormalizedDebt() returning an interest rate index

   • stabilityPool.getTotalDeposits() returning actual scaled deposits

2. The root cause lies in the misuse of LendingPool.getNormalizedDebt() returning the reserve.usageIndex (interest rate accumulator) instead of the actual borrowed amount

3. The proper value should use reserve.totalUsage from LendingPool which tracks the scaled total debt

This mismatch between using an interest index versus actual borrowed amounts creates an artificial utilization rate that doesn't reflect the real debt/deposit ratio. The miscalculation propagates through the emission rate adjustments, creating distorted reward incentives.

Impact

The miscalculated utilization rate creates systemic risks across multiple protocol layers:

1. Token Inflation/Deflation Spiral

   • Overstated utilization leads to excessive RAAC minting (inflationary pressure)

   • Understated utilization starves reward pools (deflationary spiral)

2. Broken Economic Incentives

   • Stability Pool participants receive incorrect yield projections

   • Borrowers face misaligned interest rate risks

3. Governance Attack Surface

   • Manipulatable emission rates could enable voting power concentration

   • Distorted veRAAC rewards compromise governance integrity

4. Protocol Insolvency Risk

   • Mismatched debt/deposit ratios prevent accurate risk assessment

   • Liquidation mechanisms become unreliable during market stress

This miscalculation propagates through all reward-dependent systems (gauges, voting, liquidity mining), potentially rendering the protocol's core economic model unsustainable.

Tools Used

Manual Review

Recommendations

Modify RAACMinter.getUtilizationRate() to use actual debt values: