Raft allows anyone to redeem an equivalent amount of collateral tokens in return for rTokens using redeem().
The fee applied is the combination of baseRate and redemption spread.
The update done to baseRate is important since it's designed to increase with each share of collateral redeemed.
It's calculated as
uint256 decayedBaseRate = _calcDecayedBaseRate(collateralToken);
/* Convert the drawn collateral back to R at face value rate (1 R:1 USD), in order to get
* the fraction of total supply that was redeemed at face value. */
uint256 redeemedFraction = collateralDrawn * price / totalDebtSupply;
uint256 newBaseRate = decayedBaseRate + redeemedFraction / BETA;Where totalDebtSupply is rToken totalsupply
_updateBaseRateFromRedemption(collateralToken, collateralToRedeem, price, rToken.totalSupply());Hence baseRate applicable is inversely proportional to rToken's total supply.
All is well until this point.
However, one thing Raft team missed is
rToken also allows users to flash mint
This allows anyone to take
flashloan of rToken,
inflate total supply,
call redeem inside callback with a different set of rTokens,
pay lower fees than intended,
return borrowed rTokens of flashloan
one thing to note is this invalid update would be sustained for future borrows and redeem as well, courtesy to
https://github.com/raft-fi/contracts/blob/18d79fb62dceb730f13a3fc5cf286ce8fbecbd29/contracts/PositionManager.sol#L609
Fortunately, raft only allows flash loan of 10% of the total supply, hence capping the impact on the base rate.
That's why this is a medium-severity issue and not a high one.
Consider reverting in redeem if there is a active flash loan.