Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

depositRAACFromPool can be griefied by an attacker

smacaud1

Summary

The depositRAACFromPool() contains a strict balance check that can be griefed by an attacker sending tiny amounts of RAAC tokens to the contract, causing deposits to permanently revert.

Vulnerability Details

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/pools/StabilityPool/StabilityPool.sol#L326

function depositRAACFromPool(uint256 amount) external onlyLiquidityPool {
uint256 preBalance = raacToken.balanceOf(address(this));
raacToken.safeTransferFrom(msg.sender, address(this), amount);
uint256 postBalance = raacToken.balanceOf(address(this));
// Vulnerable check
if (postBalance != preBalance + amount) revert InvalidTransfer(); //@audit: attacker can send 1 wei to make sure this check fails
}

Attack Scenario:

  1. Attacker sends 1 wei of RAAC to StabilityPool

  2. LiquidityPool attempts normal deposit of 1000 RAAC

  3. Pre-balance = X, Expected post-balance = X + 1000

  4. Actual post-balance = X + 1000 + 1 (attacker's 1 wei)

  5. Check fails → Deposit reverts permanently

Impact

The depositRAACFromPool will always revert thereby making the function unusable and leads to waste of gas

Tools Used

Manual Review

Recommendations

Consider a fix other than using a strict check

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!