Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Reward Calculation Ignores Time-Weighted Voting Power in FeeCollector.sol

merryjoy881

Summary

The claimRewards function calculates rewards based on the amount of voting power at the time of claim, not a time-weighted average over the distribution period. This allows users to manipulate rewards by increasing voting power right before claiming.

Vulnerability Details

function _calculatePendingRewards(address user) internal view returns (uint256) {
uint256 userVotingPower = veRAACToken.getVotingPower(user);
uint256 totalVotingPower = veRAACToken.getTotalVotingPower();
uint256 share = (totalDistributed * userVotingPower) / totalVotingPower;
return share > userRewards[user] ? share - userRewards[user] : 0;
}

Impact

  • Users can increase their voting power just before claiming to gain a disproportionate share of the rewards.

  • The distribution of rewards is unfair, hurting long-term users and benefiting manipulators.

Tools Used

Recommendations

  • Use distribution period data from TimeWeightedAverage.Period to calculate the average voting power of users during each period.

  • Store user participation history in each distribution period and calculate rewards based on time-weighted contributions.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Time-Weighted Average Logic is Not Applied to Reward Distribution in `FeeCollector`

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Time-Weighted Average Logic is Not Applied to Reward Distribution in `FeeCollector`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.