Flashloan Attack Exploit Could Drain All Minted RAAC Reward Tokens from StabilityPool.sol
Summary
The stabilityPool.sol contract distributes reward tokens based on an ERC-4626 vault-like implementation, as shown below:
This calculation is vulnerable to a flash loan attack, allowing a user to artificially inflate their share in the protocol and withdraw a disproportionate amount of reward tokens without holding funds in the contract for any significant period.
Vulnerability Details
The vulnerability arises because users can temporarily increase their stake atomically, claim rewards, and then withdraw their funds within the same transaction. This manipulation lets them extract all available rewards without assuming the usual risks associated with long-term staking.
Impact
This exploit poses a significant risk to the protocol, as it enables malicious actors to drain the rewards in the Stability Pool. As a result, legitimate users are deprived of their rightful earnings. This causes a high impact scenario.
Tools Used
Manual Review
Recommendations
To mitigate this risk, consider implementing a time-based restriction, such as:
Introducing a lock-up period that prevents immediate withdrawals after depositing or staking rTokens.
Using a time-weighted reward distribution mechanism to ensure users earn rewards based on the duration of their stake.
Lead Judging Commences
StabilityPool::calculateRaacRewards is vulnerable to just in time deposits
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.