Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

User can inflate the total supply of `veRAAC` tokens, leading to other users receiving less rewards

kirobrejka

Summary

This happens due to the usage of veRAAC token supply in the rewards calculation

Vulnerability Details

Imagine the following scenario:

  1. User wants to claim rewards

  2. Malicious user has a big supply of RAAC tokens and sees the tx in the mempool

  3. He frontruns with minting veRAAC tokens, hence increasing the veRAAC total supply

This will lower the rewards of other users and let the malicious user get some of those rewards, practicaly stealing from ordinary users. This can be done because the `veRAAC` tokens total supply is one of the main components for computing the reward share for users as can be seen here:

function _calculatePendingRewards(
address user
) internal view returns (uint256) {
uint256 userVotingPower = veRAACToken.getVotingPower(user);
if (userVotingPower == 0) return 0;
@> uint256 totalVotingPower = veRAACToken.getTotalVotingPower();
if (totalVotingPower == 0) return 0;
@> uint256 share = (totalDistributed * userVotingPower) / totalVotingPower;
return share > userRewards[user] ? share - userRewards[user] : 0;
}

This can also be done by extending a lock, which makes it even easier

Impact

User can steal the RAAC token rewards of other users. This also impact the required quorum in the Governance contract

Tools Used

Manual review

Recommendations

Input a slippage protection for the rewards receiving

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

StabilityPool::calculateRaacRewards is vulnerable to just in time deposits

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.