Core Contracts

Description

The RAAC protocol's current withdrawal mechanism implements a "first come, first served" model in withdraw(), which coupled with the fact that there is no mechanism of socilaization of loss, could lead to a bank run scenario.

The fundamental issue arises from underwater positions and extreme price movements:

1. Liquidation Mechanics

   • When a borrower's debt value exceeds their collateral value, they should be liquidated

   • During liquidation, the protocol should recover the borrower's debt value

   • However, if collateral value < debt value, there's an unrecoverable loss

   • Example:

     • Borrower has 100 crvUSD debt and NFT worth 150 crvUSD

     • NFT price crashes to 80 crvUSD

     • Liquidation recovers only 80 crvUSD, leaving 20 crvUSD deficit

2. Lack of Loss Socialization Mechanism Among Existing Depositors

   • These unrecoverable losses create a deficit in the protocol

   • First withdrawers can still get full value

   • Last withdrawers bear the entire system loss

3. Price Movement Amplification

   • Large market movements can create multiple underwater positions simultaneously

   • Each liquidation potentially adds to the system deficit

   • As losses accumulate, risk of a bank run increases

   • Users who recognize this will rush to withdraw, triggering the run

Impact

The vulnerability creates several serious risks:

1. Inequality Among Users

   • Early withdrawers receive full value

   • Later withdrawers may receive nothing

   • Advantages users with:

     • Better network connectivity

     • Higher gas fee capability

     • Automated monitoring tools

2. Market Destabilization

   • Self-fulfilling prophecy where fear of a bank run causes a bank run

   • Could trigger cascading liquidations

Mitigation

Some possible ways to handle this:

• Implement Withdrawal Rate Limiting

• Proportional Withdrawals

• Withdrawal Queue System