RAACMinter's Utilization Rate Calculation Uses Incorrect Debt Value
Summary
The getUtilizationRate() function in the RAACMinter contract incorrectly uses getNormalizedDebt() to get the total borrowed amount, which returns the usage index instead of the total debt. This leads to an incorrect utilization rate calculation that affects the emission rate adjustments.
Vulnerability Details
The RAACMinter.getUtilizationRate() function uses:
contracts/core/minters/RAACMinter/RAACMinter.sol#L241
The issue is that getNormalizedDebt() returns the usage index rather than the actual total borrowed amount. Looking at LendingPool contract, the correct value should be reserve.totalUsage which represents the total debt in the system.
Impact
This issue causes incorrect utilization rate calculations which directly affects emission rate adjustments and RAAC Token distribution. Therefore, the impact is high as it fundamentally breaks the protocol's core rewards emission mechanism.
Tools Used
Manual code review
Recommendations
-
Add a view function in LendingPool to expose the total debt:
function getTotalDebt() external view returns (uint256) {return reserve.totalUsage;} -
Modify the
getUtilizationRate()function to use the correct total debt valuefunction getUtilizationRate() internal view returns (uint256) {uint256 totalUsage = lendingPool.getTotalDebt();uint256 totalDeposits = stabilityPool.getTotalDeposits();if (totalDeposits == 0) return 0;return (totalUsage * 100) / totalDeposits;}
Lead Judging Commences
RAACMinter::getUtilizationRate incorrectly mixes stability pool deposits with lending pool debt index instead of using proper lending pool metrics
RAACMinter::getUtilizationRate incorrectly mixes stability pool deposits with lending pool debt index instead of using proper lending pool metrics
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.