Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

RAAC Reward Distribution Calculation Allows Disproportionate Allocations

foxb868

Summary

The StabilityPool contract's reward distribution mechanism has a critical flaw in its exchange rate calculations. When managers receive RAAC rewards, the distribution doesn't properly account for their proportional allocations, leading to incorrect reward distributions.

function depositRAACFromPool(uint256 amount) external onlyLiquidityPool validAmount(amount) {
// Pre-balance check is good practice but insufficient for exchange rate integrity
uint256 preBalance = raacToken.balanceOf(address(this));
// Token transfer happens before any exchange rate updates
raacToken.safeTransferFrom(msg.sender, address(this), amount);
// Post-balance verification is good but doesn't ensure proper distribution
uint256 postBalance = raacToken.balanceOf(address(this));
if (postBalance != preBalance + amount) revert InvalidTransfer();
// Missing exchange rate update and manager distribution logic
// Should implement:
// 1. Update exchange rate before distribution
// 2. Calculate each manager's proportional share
// 3. Distribute rewards according to managerAllocation
// 4. Update exchange rate after distribution
emit RAACDepositedFromPool(msg.sender, amount);
}
// depositRAACFromPool(amount) -> calculateManagerReward() -> distributeRewards()

The TODO comment is the exact location where the exchange rate integrity issue needs to be addressed. This is where the proportional distribution logic should be implemented to maintain correct reward allocation among managers.

Vulnerability Details

When the StabilityPool receives RAAC tokens from the lending pool, it's like a bank receiving deposits that need to be fairly distributed to account holders. However, there's a critical flaw in how these rewards are calculated and distributed.

Imagine a manager with a 30% allocation in the pool. When 1000 RAAC tokens arrive, they should receive 300 tokens. However, the current implementation in depositRAACFromPool() fails to maintain this proportion. The exchange rate which should reflect the true value of each manager's share becomes desynchronized from reality.

The core issue lies in the StabilityPool's reward distribution logic, this is like a bank accepting deposits without updating account balances. The exchangeRate variable, which tracks the relationship between deposits and shares, remains stale while new rewards flow in.

Impact

When 1000 RAAC tokens enter the pool:

  • Manager A (30% allocation) receives 400 tokens instead of 300

  • Manager B (70% allocation) receives 600 tokens instead of 700

  • The exchange rate shows incorrect share values

This creates a domino effect where each subsequent distribution compounds the error, eventually leading to significant misallocation of protocol rewards.

Recommendations

Maintain exchange rate integrity while ensuring proportional reward distribution. Add proper reward distribution logic for example.

function depositRAACFromPool(uint256 amount) external onlyLiquidityPool validAmount(amount) {
raacToken.safeTransferFrom(msg.sender, address(this), amount);
for (uint256 i = 0; i < managerList.length; i++) {
address manager = managerList[i];
uint256 managerShare = (amount * managerAllocation[manager]) / totalAllocation;
raacToken.safeTransfer(manager, managerShare);
}
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.