Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

RAAC rewards can be stolen

alexczm

Summary

The RAAC reward distribution mechanism is unfair and rewards can be easily stolen by depositing a relatively big amount of rTokens. The attack can be repeated until there are no rewards left.

Vulnerability Details

On StabilityPool::deposit and withdraw the rewards since last reward distribution are minted to stabilityPool.

On withdraw the raacRewards are calculated and transferred to msg.sender.
The calculateRaacRewards calculates the user rewards as a percent of user's deposit from total deToken supply.

function calculateRaacRewards(address user) public view returns (uint256) {
uint256 userDeposit = userDeposits[user];
uint256 totalDeposits = deToken.totalSupply();
uint256 totalRewards = raacToken.balanceOf(address(this));
if (totalDeposits < 1e6) return 0;
@> return (totalRewards * userDeposit) / totalDeposits;
}

An user can wait until an satisfactory amount of rewards are accumulated in stabilityPool or are pending to be minted and can deposit and withdraw to get rewards even if he deposited for only one block. While nonReentrant modifier prevent the 'flashloan' attack vector, a malicious user can deposit and withdraw multiple times until there are no rewards left.

Impact

RAAC rewards can be easily stolen.

Tools Used

Recommendations

Implement a time based reward sistem. The longer an user holds deToken, the more rewards per deposited token he should get. Consider MasterChef as an example.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

StabilityPool::calculateRaacRewards is vulnerable to just in time deposits

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.