Core Contracts

Summary

Users are supposed to receive RAAC rewards when they deposit rTokens into the StabilityPool. However, the current implementation grants a share of RAAC rewards immediately after deposit, allowing users to game the system by making quick deposits and withdrawals to unfairly claim rewards.

Vulnerability Details

The issue arises in the current calculateRaacRewards(...) function:

Why This Is a Problem

• The calculation depends only on the current userDeposit and totalDeposits, without considering how long a user has been staked.

• Since rToken and deToken maintain a 1:1 ratio, an attacker can deposit a large amount, claim a significant portion of the rewards, and immediately withdraw, without contributing to the intended long-term incentive mechanism.

• No time-based weighting is applied, meaning short-term depositors are rewarded the same as long-term depositors, defeating the purpose of staking incentives.

Exploit Scenario

1. Attacker deposits a large amount of rTokens into the StabilityPool.

2. Since rewards are immediately calculated based on totalDeposits, the attacker receives a large share of RAAC rewards.

3. The attacker withdraws their deposit shortly after, keeping the rewards.

4. This cycle can be repeated, draining the reward pool at the expense of long-term depositors.

Impact

• Short-term depositors can steal rewards that were meant to incentivize long-term staking.

• Legitimate users receive lower rewards as attackers extract a disproportionate share.

• The reward pool is drained faster, reducing the sustainability of the incentive program.

Tools Used

N/A

Recommendations

• Implement a checkpoint-based reward distribution that weights rewards based on deposit duration rather than just the current deposit amount.