Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Missing StabilityPool Integration in `mintRewards` Function

Singularity

Summary

The mintRewards function in the RAAC minter contract is designed to be callable exclusively by the StabilityPool contract. However, there is no implementation or interface that allows the StabilityPool to invoke this function. As a result, the intended reward minting and distribution mechanism cannot be triggered, which may prevent rewards from being minted and delivered to users or contracts which depends on raac tokens as rewards

Vulnerability Details

What Went Wrong:
The function is defined as follows:

function mintRewards(address to, uint256 amount) external nonReentrant whenNotPaused {
if (msg.sender != address(stabilityPool)) revert OnlyStabilityPool();
uint256 toMint = excessTokens >= amount ? 0 : amount - excessTokens;
excessTokens = excessTokens >= amount ? excessTokens - amount : 0;
if (toMint > 0) {
raacToken.mint(address(this), toMint);
}
raacToken.safeTransfer(to, amount);
emit RAACMinted(amount);
}

Although this function is meant to be called by the StabilityPool (as enforced by the if (msg.sender != address(stabilityPool)) check), there is no mechanism or interface in place for the StabilityPool contract to call it. This omission means that the StabilityPool is effectively unable to trigger the reward minting process.

Why It Matters:
Without a way for the StabilityPool to call mintRewards, the reward mechanism remains inactive. The collected minting fees or rewards are never processed, leading to a failure in distributing rewards to the intended recipients. This can halt an essential part of the protocol's economic incentive model.

Impact

Disrupted Reward Distribution:
The inability of the StabilityPool to trigger mintRewards results in no rewards being minted or distributed, which undermines the incentive mechanism for users.

In Rwa or RAAC gagues(inherited from BaseGauge), there is this notifyRewardAmount()function which has a require statement

if (rewardRate * getPeriodDuration() > balance) {
revert InsufficientRewardBalance();
}

So if there is no balance already in this contract(which needs to be sent by raacminter) then these gagues cannot be initialised and the rewards will be calculated in a very wrong numbers.

Economic Imbalance:
Essential rewards remain unminted, potentially causing significant economic disruption and a loss of trust among participants who expect to receive rewards.

Protocol Degradation:
The overall stability and appeal of the protocol are at risk if users cannot receive the rewards they are entitled to due to this missing functionality.

Tools Used

Manual Code Review: We analyzed the mintRewards function and verified that there is no integrated method or interface for the StabilityPool to invoke this function.

Recommendations

Implement StabilityPool Integration:
Provide an interface or additional functionality in the StabilityPool contract that allows it to call the mintRewards function. Ensure that the StabilityPool address is correctly configured and that the call flow is established.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACMinter::mintRewards function is never called by StabilityPool despite being the only authorized caller, leaving intended reward functionality unused

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACMinter::mintRewards function is never called by StabilityPool despite being the only authorized caller, leaving intended reward functionality unused

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!