Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Lack of Rate-Limiting for Deposits & Withdrawals

bareli

Summary

A malicious user can spam deposits and withdrawals within the same block to game the reward system.

If there's a flash loan vulnerability, attackers can deposit large amounts temporarily, farm rewards, and withdraw immediately.

Vulnerability Details

function depositRAACFromPool(uint256 amount) external onlyLiquidityPool validAmount(amount) {
uint256 preBalance = raacToken.balanceOf(address(this));
raacToken.safeTransferFrom(msg.sender, address(this), amount);
uint256 postBalance = raacToken.balanceOf(address(this));
if (postBalance != preBalance + amount) revert InvalidTransfer();
// TODO: Logic for distributing to managers based on allocation
emit RAACDepositedFromPool(msg.sender, amount);
}

Introduce a minimum deposit duration.

Implement anti-flash loan mechanisms (e.g., requiring deposits to stay locked for a short period).

Impact

Tools Used

Recommendations

mapping(address => uint256) public lastDepositTime;

uint256 public constant MIN_DEPOSIT_TIME = 10 minutes;

function deposit(uint256 amount) external nonReentrant whenNotPaused validAmount(amount)

{ require(block.timestamp >= lastDepositTime[msg.sender] + MIN_DEPOSIT_TIME, "Too soon to deposit again");

lastDepositTime[msg.sender] = block.timestamp; _update();

rToken.safeTransferFrom(msg.sender, address(this), amount); uint256 deCRVUSDAmount = calculateDeCRVUSDAmount(amount);

deToken.mint(msg.sender, deCRVUSDAmount); userDeposits[msg.sender] += amount; _mintRAACRewards();

emit Deposit(msg.sender, amount, deCRVUSDAmount); }

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Too generic

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.