Excess tokens are not held for in the contract's balance
Summary
ExcessTokens are not held for in the contract's balance, thus mintRewards will revert in most cases.
Vulnerability Details
During minting rewards in RAACMinter, if not enough excessTokens are held, then the function will mint additional tokens:
The issue is excessTokens are not held for in the contract's balance. This variable represents amount of tokens minted in tick() function rather real tokens held for future reward distribution.
For example, excessTokens = 100e18, and reward amount is 1e18, but there is 0 tokens on contract's balance, because all tokens was minted to stability pool:
So mintRewards will revert because toMint will be 0 in most cases, and contract balanse is insufficient.
Impact
mintRewards will rewert in most cases.
Tools Used
Manual review.
Recommendations
Recommended to use contract's balance instead excessTokens to determine additional amount to be minted.
Lead Judging Commences
RAACMinter wrong excessTokens accounting in tick function
RAACMinter wrong excessTokens accounting in tick function
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.