Core Contracts

Summary

excessTokens is incremented in tick function when RAAC tokens are minted to the stability pool, but this is incorrect. Its value should be incremented when RAAC tokens are received or minted in the RAAC Minter contract.

Indeed, excessToken is used to determine if RAACMinter contract has enough RAAC tokens in mintRewards function. If excessToken is less than amount, RAAC tokens are minted to RACCMinter contract before being sent to the receiver.

This logic is wrong , given that excessTokens is just incremented each time tick is called. This means excessTokens represents the total amount of RAAC tokens minted to the stability pool.

Vulnerability Details

Minting in mintRewards will be insufficient, because it will assume that the RAAC Minter contracts owns RAAC tokens which is not the case.

The line uint256 toMint = excessTokens >= amount ? 0 : amount - excessTokens;will return 0 once enough time has passed and tick calls have mint enough tokens for excessTokens to be always grater than amount to mint. This means no token will be minted and safeTransferwill fail due to insufficient balance error (if tick has minted at least 1 token and increase excessToken).

Even if not enough time has passed and it doesn't return 0, an amount less than amount of tokens will be minted in RAAC minter, and safeTransfer call will fail due to insufficient balance error. This means once excessTokenvalue is greater than or equal to 1, token transfers will always fail.

Impact

The impact of this issue is high as it leads to DoS of the mintRewards function after tick has minted at least 1 token.

Tools Used

Manual review

Recommendations

Its unclear what the purpose of excessToken is. I suppose it should be incremented when this contract receives RAAC tokens for some reason but this is not possible.

RAAC Minter is not supposed to hold RAAC tokens with the current design. This variable should simply be removed.