Summary

The FeeCollector contract incorrectly distributes RAAC rewards to veRAAC holders by using totalDistributed, which includes all past distributions. This allows new veRAAC holders to claim rewards as if they had been holding from the beginning, leading to unfair distribution and potential exploitation.

Vulnerability Details

1. Fees Collected

• The FeeCollector contract collects RAAC tokens and distributes them across four categories:

  • veRAAC Holders (rewards)

  • Burn

  • Repair Fund

  • Treasury

2.Distributing Rewards to veRAAC Holders

• During FeeCollector::distributeCollectedFees, a portion of fees (shares[0]) is allocated for veRAAC holders.

• The total amount allocated so far is stored in totalDistributed.

FeeCollector::_processDistributions:

3.User Claims Rewards which Incorrectly calculate rewards

• A user calls FeeCollector::claimRewards, which:

• Calls FeeCollector::_calculatePendingRewards to determine how much RAAC they can claim.

• FeeCollector::_calculatePendingRewards computes rewards as (totalDistributed * userVotingPower) / totalVotingPower .

• Issue: totalDistributed includes all past distributions, even from before the user had voting power.

• Updates userRewards[user] = totalDistributed; to mark rewards as claimed.

FeeCollector::claimRewards:

FeeCollector::_calculatePendingRewards:

4.Exploitation Scenario

• Early users claim rewards normally.

• A new user acquires veRAAC tokens later, but the calculation still includes all past distributions.

• This user receives rewards from past distributions, even though they had no voting power at that time.

Impact

1. Unfair distribution: New veRAAC holders receive rewards from past distributions they were never part of.

2. Dilution of rewards: Early participants receive less, as the total rewards are unfairly shared.

Tools Used

Manual