Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

`RAACMinter.getUtilizationRate()` Calculates the Incorrect System Utilization Rate

crazymysteryauditor

Summary

The RAACMinter.updateEmissionRate() function relies on the system utilization rate retrieved from RAACMinter.getUtilizationRate(). However, the implementation of getUtilizationRate() is flawed, leading to incorrect calculations of the emissionRate. This miscalculation can have significant implications for the distribution of the veRAAC token.

Vulnerability Details

The current implementation of the getUtilizationRate() function is as follows:

/**
* @dev Calculates the current system utilization rate
* @return The utilization rate as a percentage (0-100)
*/
function getUtilizationRate() internal view returns (uint256) {
uint256 totalBorrowed = lendingPool.getNormalizedDebt();
uint256 totalDeposits = stabilityPool.getTotalDeposits();
if (totalDeposits == 0) return 0;
return (totalBorrowed * 100) / totalDeposits;
}

  1. Incorrect Total Borrowed Calculation:

    • The lendingPool.getNormalizedDebt() function returns reserve.usageIndex, which does not represent the total borrowed amount accurately. Instead, it uses a large decimal scaling factor (1e27), which can lead to misinterpretation of the value.

    function getNormalizedDebt() external view returns (uint256) {
    return reserve.usageIndex; // Not an accurate representation of total borrowed
    }

  2. Misleading Total Deposits Calculation:

    • The stabilityPool.getTotalDeposits() function returns the total deposits of rToken to the stability pool, which does not encompass the entire system's deposit amount. This can lead to a significant underestimation of the total deposits in the system.

    function getTotalDeposits() external view returns (uint256) {
    return rToken.balanceOf(address(this)); // Limited to stability pool deposits
    }

Due to the incorrect values for totalBorrowed and totalDeposits, the utilization rate calculated by getUtilizationRate() will be inaccurate. Consequently, the emissionRate will be updated based on this flawed utilization rate, potentially leading to improper emissions of the veRAAC token and affecting the overall tokenomics of the system.

Impact

The incorrect calculation of the utilization rate can lead to:

  • Inaccurate updates to the emissionRate.

  • Potential over- or under-emission of veRAAC tokens.

  • Distorted incentives for users interacting with the lending and stability pools.

Tools Used

Manual Review

Recommendations

It is recommended to implement the calculation based on accurate representations of the total borrowed and total deposits.

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACMinter::getUtilizationRate incorrectly mixes stability pool deposits with lending pool debt index instead of using proper lending pool metrics

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACMinter::getUtilizationRate incorrectly mixes stability pool deposits with lending pool debt index instead of using proper lending pool metrics

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.