Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Fundamentally flawed `mintRewards` function in `RAACMinter.sol`.

mo_

Summary

Fundamentally flawed mintRewards function in RAACMinter.sol. It incorrectly attempts to directly transfer excessTokens which are minted to the stabilityPool, not held in the minter contract .

Vulnerability Details

The mintRewards function in RAACMinter.sol operates under the incorrect assumption that excessTokens are available within the RAACMinter contract for direct transfer. In reality, excessTokens are accumulated as a counter in RAACMinter, but during the tick() function, these accumulated tokens are minted and transferred to the stabilityPool.

Problematic Code Snippet:

// contracts/core/minters/RAACMinter/RAACMinter.sol
function mintRewards(address to, uint256 amount) external nonReentrant whenNotPaused {
if (msg.sender != address(stabilityPool)) revert OnlyStabilityPool();
uint256 toMint = excessTokens >= amount ? 0 : amount - excessTokens;//@q todo //@q shoudl nto it be amount instead of 0 when excesstoken is > _amount
excessTokens = excessTokens >= amount ? excessTokens - amount : 0;//@audit-issue did not understand it yet but something is off , lets say if excess > aomunt ; tomint = 0 , excesstoken is reduced by amount !! what the fuck , no amount is minted but excess tokens is reduced !! shuld not be teh case
if (toMint > 0) {
raacToken.mint(address(this), toMint);
}
raacToken.safeTransfer(to, amount);// <------- Direct transfer attempted
emit RAACMinted(amount);
}
function tick() external nonReentrant whenNotPaused {
// ...
if (blocksSinceLastUpdate > 0) {
uint256 amountToMint = emissionRate * blocksSinceLastUpdate;
if (amountToMint > 0) {
excessTokens += amountToMint;
lastUpdateBlock = currentBlock;
raacToken.mint(address(stabilityPool), amountToMint); // <------- excessTokens are minted to stabilityPool
emit RAACMinted(amountToMint);
}
}
}

The mintRewards function checks excessTokens >= amount and attempts to directly safeTransfer(to, amount). However, excessTokens are minted to the stabilityPool in tick(), meaning they are not available in the RAACMinter contract for direct transfer. This makes the conditional logic and direct transfer in mintRewards fundamentally flawed and impossible to execute as intended.

Impact

  • mintRewards Functionality Broken: The mintRewards function will not work as intended because it attempts to transfer tokens that are not held by the RAACMinter contract.

  • Reward Distribution Failure: The intended mechanism for distributing rewards via mintRewards is broken.

Tools Used

Manual code review.

Recommendations

Completely redesign the mintRewards function. The current logic is based on a false premise and cannot function as intended.

Updates

Lead Judging Commences

inallhonesty Lead Judge
6 months ago
inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACMinter wrong excessTokens accounting in tick function

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACMinter wrong excessTokens accounting in tick function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.