Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

`RAACMinter` utilization rate is wrong because it uses data from both pools

charlescheerful

Vulnerability Details

At RAACMinter::getUtilizationRate() the utilization rate calculation mixes pools. By definition the utilization rate should be the one of the whole system, see docs here:

/**
@> * @dev Calculates the current system utilization rate
* @return The utilization rate as a percentage (0-100)
*/
function getUtilizationRate() internal view returns (uint256) {
@> // 👁️🔴 Using borrows from lending pool but deposits from stability pool
@> uint256 totalBorrowed = lendingPool.getNormalizedDebt();
@> uint256 totalDeposits = stabilityPool.getTotalDeposits();
if (totalDeposits == 0) return 0;
return (totalBorrowed * 100) / totalDeposits;
}

But as seen it uses data from both pools which is incorrect as not all deposits in LendingPool are also deposits of the StabilityPool. A user can just no deposit their RTokens on the StabilityPool.

Impact

Utilization rate is incorrectly calculated which messes up correct RAACToken minting paces. As it is used calculating new emission rates, see here.

Recommendations

The real utilization rate should be calculated only taking into account deposits from the LendingPool.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACMinter::getUtilizationRate incorrectly mixes stability pool deposits with lending pool debt index instead of using proper lending pool metrics

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACMinter::getUtilizationRate incorrectly mixes stability pool deposits with lending pool debt index instead of using proper lending pool metrics

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.