Core Contracts

Summary

The function calculateRaacRewards in the StabilityPool contract does not properly account for differences in token decimals. The issue arises because:

1. userDeposits is stored in RToken decimals.

2. totalDeposits is derived from DEToken, which may have different decimals.

3. The reward calculation assumes both tokens have the same decimal precision, which can lead to incorrect reward distribution.

Relevant Code

Vulnerability Details

1. Incorrect Calculation Due to Decimal Mismatch

If RToken and DEToken have different decimal places, the calculation in calculateRaacRewards will be incorrect.

• Example Scenario:

  • RToken has 6 decimals (1,000,000 = 1 RToken)

  • DEToken has 18 decimals (1e18 = 1 DEToken)

  • totalDeposits is in 18 decimals, while userDeposit is in 6 decimals

  • This results in userDeposit / totalDeposits ≈ 0, leading to an incorrectly small reward

• This can cause:

  • Zero rewards for users if rounding errors push the value to 0

  • Disproportionate rewards where some users receive more or less than expected

Impact

1. Incorrect Reward Distribution: Some users may receive significantly lower or higher rewards than intended.

2. Zero Rewards Issue: If userDeposit is much smaller than totalDeposits due to decimal mismatch, the function may return 0, preventing users from receiving rewards.

Tools Used

Manual review

Recommendations

Ensure all token values are converted to the same decimal standard before calculations. Ensure at the end we return the correct decimals of the reward token.