Malicious Users Can Inflate Rewards by Temporarily Locking veRAAC Tokens
The contract calculates reward distribution based on the current voting power of veRAACToken holders, using veRAACToken.getVotingPower(user). However, since there is no mechanism ensuring that users maintain their veRAAC balance throughout the entire distribution period, an attacker can artificially inflate their rewards by temporarily locking a large amount of veRAAC before the snapshot, only to withdraw or transfer it immediately after. This allows the attacker to appear as a major stakeholder at the time of calculation but without actually maintaining that stake throughout the period. For example:
Since getVotingPower(user) is queried only at the time of reward distribution, a user can game the system by moving tokens strategically across wallets, unfairly increasing their reward share while diluting honest users’ earnings.
Impact:
An attacker can unfairly claim a disproportionate share of rewards, reducing the earnings of legitimate long-term veRAAC holders.
Mitigation:
Use time-weighted voting power instead of a single snapshot by implementing an averaging function.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.