Core Contracts

Summary

The claimRewards function enables users to claim their pending rewards. However, it does not update the lastClaimTime mapping, which is responsible for tracking the last time a user claimed rewards. This omission can cause issues in tracking claim history, reward accrual mechanisms, and security validations dependent on claim timestamps.

Vulnerability Details

• The lastClaimTime mapping is designed to store the last timestamp when a user claims rewards.

  [ https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/collectors/FeeCollector.sol#L115 ]

  mapping(address => uint256) private lastClaimTime;

• The _updateLastClaimTime(address user) function is available to update this timestamp but is never called inside claimRewards().

  [https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/collectors/FeeCollector.sol#L555]

  function _updateLastClaimTime(address user) internal {

  lastClaimTime[user] = block.timestamp;

  }

• As a result, even after a successful claim, lastClaimTime[user] remains unchanged, leading to inaccurate claim tracking.

  function claimRewards(address user) external override nonReentrant whenNotPaused returns (uint256) {

  if (user == address(0)) revert InvalidAddress();

  uint256 pendingReward = _calculatePendingRewards(user);

  if (pendingReward == 0) revert InsufficientBalance();

  // Reset user rewards before transfer

  userRewards[user] = totalDistributed;

  // Transfer rewards

  raacToken.safeTransfer(user, pendingReward);

  // @audit-issue : lastClaimTime[user] is not updated

  emit RewardClaimed(user, pendingReward);

  return pendingReward;

  }

Impact

Inaccurate Reward Tracking: Systems relying on lastClaimTime for reward calculations or time-based limits may behave incorrectly.

Tools Used

Manual Review .

Recommendations

Update lastClaimTime in claimRewards(): Call _updateLastClaimTime(user); after a successful reward claim.