Core Contracts

Summary

The calculateRaacRewards function in the stabilitypool.sol smart contract is vulnerable to a reward exploitation attack. An attacker can deposit tokens and immediately withdraw them to claim rewards without staking for any meaningful duration. This is due to the lack of a time-based mechanism in the reward calculation.

Vulnerability Details

• Location: StabilityPool.sol calculateRaacRewards function.

• Issue: The function calculates rewards based solely on the amount deposited and total deposits, without considering the duration of the deposit.

• Exploit:

  1. An attacker deposits a large amount of tokens.

  2. Immediately calls the withdraw function.

  3. Claims rewards proportional to their deposit, even though the tokens were staked for an extremely short duration.

• Root Cause: The absence of a time-weighted or lock-up mechanism allows attackers to game the reward system.

Impact

• High Severity: This vulnerability allows attackers to drain the reward pool without providing any real value (staking) to the system.

• Financial Loss: Legitimate users may receive fewer rewards as attackers exploit the system.

• Reputation Damage: The protocol's credibility could be harmed if users lose trust in the fairness of the reward distribution.

Tools Used

Manuel Review

Recommendations

1. Implement Time-Weighted Rewards:

   • Calculate rewards based on both the amount deposited and the duration of the deposit.

   • Example:

     solidity

     Copy

     uint256 stakingDuration = block.timestamp - deposit.timestamp;

     uint256 timeWeightedAmount = deposit.amount * stakingDuration;

     return (totalRewards * timeWeightedAmount) / (totalDeposits * stakingDuration);

2. Introduce a Lock-Up Period:

   • Require users to stake their tokens for a minimum duration before they can withdraw and claim rewards.

   • Example:

     solidity

     Copy

     uint256 public constant LOCK_PERIOD = 7 days;

     require(block.timestamp >= deposit.timestamp + LOCK_PERIOD, "Lock period not over");

3. Add Reward Vesting:

   • Distribute rewards gradually over time, ensuring users cannot claim all rewards immediately.

   • Example:

     solidity

     Copy

     uint256 vestedRewards = (totalRewards * stakingDuration) / VESTING_PERIOD;

4. Penalize Early Withdrawals:

   • Deduct a percentage of the deposited amount or rewards if users withdraw before the lock-up period ends.

   • Example:

     solidity

     Copy

     uint256 penalty = (deposit.amount * EARLY_WITHDRAWAL_PENALTY) / 100;

5. Testing and Auditing:

   • Conduct thorough testing to ensure the new mechanisms work as intended.

   • Perform a security audit to identify and fix any other potential vulnerabilities.