Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

At `RAACMinter`, manipulation of the utilization rate leads users to control for free the direction of the emission rate value

charlescheerful

Summary

RAACMinter's utilization rate calculation can easily be manipulated to have higher or lower values depending on the exploiter's whish.

Vulnerability Details

The manipulability of this value comes from the fact that it reads directly from state the present values on the pools.

But this values can easily be manipulated to be higher or lower without barely any, or zero cost, to move the emission rate in the desired direction.

The utilization rate, currently is calculated with the following unreliable values:

function getUtilizationRate() internal view returns (uint256) {
@> // 👁️🔴 Someone can just borrow a lot of money and return it in the same block, paying 0 interest but making it look like
@> // the utilization rate is very high.
uint256 totalBorrowed = lendingPool.getNormalizedDebt();
@> // 👁️🔴 Someone can just deposit a lot into the pool and make it look like the utilization rate is very low. Then immediately withdraw the funds.
uint256 totalDeposits = stabilityPool.getTotalDeposits();
if (totalDeposits == 0) return 0;
return (totalBorrowed * 100) / totalDeposits;
}

As it can be seen on the calculateNewEmissionRate() funciton, if the utilization rate is higher than desired it increases the emission rate, if lower it decreases it.

Any transaction that would honestly update the emission rate can just be front-run with a contract calling in multi-call the RAACMinter::tick() or RAACMinter::updateEmissionRate() which are callable by anyone. See here and here.

The multi-call would be structred like so:

// If wanting a higher emission rate 📈
// 1. Borrow a lot of money
// 2. Call the tick function
// 3. Repay the borrowed money in the very same block, 0 interests. 1 wei of crvUSD if rounding appears, as much.
// If wanting a lower emission rate 📉
// 1. Deposit a lot of funds.
// 2. Call the tick function.
// 3. Withdraw them.

Note that there is a delay between emission rate updates, this delay is currently of 1 day. This means that the exploiter could only do this once a day. Yet slowly but surely manipulate the emission rate faking the utilization rate.

Impact

The direction of movement of the emission rate can be controlled by anyone. Fortunately there are minimum and maximum emission rate values and time delays between updates, deeming this issue not a high severity one.

Recommendations

Do not compute utilization rate in 1 block. Use an average of the last X blocks or the last X time, so it is harder to manipulate and it truly reflects how the pools are being used.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACMinter's utilization rate calculation uses point-in-time values that can be manipulated via flash borrowing/lending, allowing control of emission rates at minimal cost

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACMinter's utilization rate calculation uses point-in-time values that can be manipulated via flash borrowing/lending, allowing control of emission rates at minimal cost

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.