Submission Details
Severity:
`RAACMinter.getUtilizationRate()` is Unsound
Summary
The RAACMinter.getUtilizationRate() function incorrectly uses the LendingPool's usage index as totalBorrowed. This approach is unsound.
Vulnerability Details
The RAACMinter.getUtilizationRate() function assigns the LendingPool's usage index to totalBorrowed, which is inappropriate.
totalBorrowed should represent the actual amount of tokens borrowed, not the usage index.
function getUtilizationRate() internal view returns (uint256) {
242 uint256 totalBorrowed = lendingPool.getNormalizedDebt();
uint256 totalDeposits = stabilityPool.getTotalDeposits();
if (totalDeposits == 0) return 0;
return (totalBorrowed * 100) / totalDeposits;
}
Impact
The utilization rate calculated is incorrect, leading to an inaccurate reward emission rate.
Tools Used
Manual review
Recommendations
Utilize the LendingPool's total borrowed amount instead of the usage index.
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
RAACMinter::getUtilizationRate incorrectly mixes stability pool deposits with lending pool debt index instead of using proper lending pool metrics
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
RAACMinter::getUtilizationRate incorrectly mixes stability pool deposits with lending pool debt index instead of using proper lending pool metrics
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.