Core Contracts

Summary

The RAAC lending protocol has a problem where tiny debts (called "dust") don’t get cleaned up properly because the DebtToken and LendingPool contracts use different rules for what counts as "too small." This leaves users stuck with small amounts of debt they can’t fully repay, locking their assets and causing frustration.

Vulnerability Details

The issue comes from two contracts in the RAAC lending protocol not agreeing on how to handle small leftover debts. The DebtToken contract, which tracks what users owe, sets a limit called DUST_THRESHOLD at 10,000 Wei. The LendingPool contract, which manages lending and repayment, sets its DUST_THRESHOLD at 1,000,000 Wei, a much bigger number.

In DebtToken.sol, the DUST_THRESHOLD is set like this:

But when users repay debt in the burn function, it doesn’t check or clear amounts below this limit:

• If a user has 50,000 Wei of debt and repays 49,999 Wei, they’re left with 1 Wei.

  The code doesn’t say, “If what’s left is less than 10,000 Wei, burn it all.” So, that 1 Wei stays.

In LendingPool, the DUST_THRESHOLD is higher:

It’s used in the closeLiquidation function to let users stop liquidation if their debt is tiny

Here, users can exit liquidation only if their debt is 1,000,000 Wei or less. But if it’s between 10,000 and 1,000,000 Wei, it’s too big for DebtToken to ignore but too small for LendingPool to force liquidation.

Imagine a user owes 50,000 Wei:

• They repay 49,999 Wei, leaving 1 Wei.

• DebtToken doesn’t burn that 1 Wei because nothing tells it to clear amounts below 10,000 Wei.

• In LendingPool, that 1 Wei is way below 1,000,000 Wei, so it’s not a problem for liquidation—but the user still can’t get rid of it.

The repay function in LendingPool calls burn:

If the leftover debt is tiny (e.g., 1 Wei), it stays because burn doesn’t finish the job.

This mismatch means:

• DebtToken thinks 10,000 Wei is the cutoff for tiny debts.

• LendingPool thinks 1,000,000 Wei is the cutoff, leaving a gap where debts between 10,000 and 1,000,000 Wei don’t get handled properly.

Impact

1. People repay almost all their debt but get stuck with tiny amounts (like 1 Wei). They can’t fully close their account because DebtToken doesn’t wipe out these leftovers.

2. Users can’t get their RAAC NFTs back (their collateral) because withdrawNFT checks if debt is zero

3. Debts between 10,000 and 1,000,000 Wei are too big for DebtToken to call dust but too small for LendingPool to liquidate. They just sit there, clogging the system.

Tools Used

Manual Review

Recommendations

1. Make DUST_THRESHOLD the same in both contracts set both to 1,000,000 Wei. This way, they agree on what’s “too small”

2. Update the burn function to wipe out debt below DUST_THRESHOLD when users repay most of it: