Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

User can inflate the `totalSupply` of `deToken`, this way lowering the rewards of other users in `StabilityPool`

kirobrejka

Summary

User can inflate the totalSupply of deToken, this way lowering the rewards of other users in StabilityPool. This is possible due to the deToken total supply in the computation of rewards

Vulnerability Details

Imagine the following scenario:

  1. User wants to withdraw his rToken, this way getting his RAACToken rewards as well

  2. Malicious user sees his transaction in the mempool and gets a big flash loan, deposits in the LendingPool to receive rToken and the inflates the supply of deToken by depositing the rToken into the StabilityPool

This way he will intentionally lower the rewards of the user and realise profit from it. This is possible due to the calculateRaacRewards function, that look like this:

function calculateRaacRewards(address user) public view returns (uint256) {
uint256 userDeposit = userDeposits[user];
@> uint256 totalDeposits = deToken.totalSupply();
uint256 totalRewards = raacToken.balanceOf(address(this));
if (totalDeposits < 1e6) return 0;
@> return (totalRewards * userDeposit) / totalDeposits;
}

Impact

A user can realise profit by doing the attack described above

Tools Used

Manual Review

Recommendations

put a slippage protection in the withdraw function to prevent this scenario from happening

Updates

Lead Judging Commences

inallhonesty Lead Judge 2 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.