Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Malicious users can steal all rewards from StabilityPool

x1485967

Summary

Malicious users can steal all rewards from StabilityPool

Vulnerability Details

In StabilityPool, rToken holders can stake their rToken to get deToken. When users withdraw back their rToken, holders can get some raac token rewards. The rewards that users can claim is related with users' deToken amount.

The problem here is that there is not any deposit/withdraw fee here and the rToken/deToken's exchange fee will keep 1:1. Then malicious users can repeatedly deposit/withdraw to steal all rewards.

function calculateRaacRewards(address user) public view returns (uint256) {
uint256 userDeposit = userDeposits[user];
uint256 totalDeposits = deToken.totalSupply();
uint256 totalRewards = raacToken.balanceOf(address(this));
if (totalDeposits < 1e6) return 0;
return (totalRewards * userDeposit) / totalDeposits;
}

Impact

Malicious users can steal all reward tokens in the StabilityPool contract.

Tools Used

Manual

Recommendations

Add some checkpoint for the reward distribution.

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

StabilityPool::calculateRaacRewards is vulnerable to just in time deposits

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

StabilityPool::calculateRaacRewards is vulnerable to just in time deposits

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.