Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

RAAC Reward Farming via Repeated Deposit and Withdrawals

mahdikarimi

Summary:

A malicious user can repeatedly deposit and withdraw funds to exploit the RAAC rewards calculation mechanism, allowing them to accumulate an unfair share of the rewards and effectively drain the entire RAAC reward pool.

Vulnerability Details:

The issue arises due to the flawed calculation of RAAC rewards in calculateRaacRewards(). Specifically, a user's RAAC rewards are determined by their proportion of total deposits:

function calculateRaacRewards(address user) public view returns (uint256) {
uint256 userDeposit = userDeposits[user];
uint256 totalDeposits = deToken.totalSupply();
uint256 totalRewards = raacToken.balanceOf(address(this));
if (totalDeposits < 1e6) return 0;
return (totalRewards * userDeposit) / totalDeposits;
}

A user can exploit this mechanism by rapidly cycling deposits and withdrawals:

  1. Deposit rToken into the pool, receiving deCRVUSD in return.

  2. Withdraw a small amount of deposited rToken , so withdraw function transfer rewards for user.

  3. Call withdraw again and again, withdraw function would calculate and transfer reward every time it's being called.

Since rewards are distributed based on deposit share at the time of calculation, a user who repeatedly deposits and withdraws can repeatedly claim rewards, stealing all rewards from the contract.

Impact:

  • RAAC rewards can be drained by a single user with minimal initial capital.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

StabilityPool::calculateRaacRewards is vulnerable to just in time deposits

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!