Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

All rewards in `StabilityPool` can be stolen by any user

OpaBatyo

Summary

Rewards are sent out based on the total user balance regardless of the withdrawal size.

Details

Every time withdraw is called in the stability pool, a call to calculateRaacRewards is made which takes only msg.sender as an input.

function calculateRaacRewards(address user) public view returns (uint256) {
uint256 userDeposit = userDeposits[user];
uint256 totalDeposits = deToken.totalSupply();
uint256 totalRewards = raacToken.balanceOf(address(this));
if (totalDeposits < 1e6) return 0;
return (totalRewards * userDeposit) / totalDeposits;
}

Reward calculation checks the size of the user deposit against all deposits and multiplies it by totalRewards. However this calculation assumes that the user is withdrawing their entire balance which is not the case. Users can withdraw 1 wei at a time and drain all rewards since it always assigns their entire balance.

Impact

Theft of funds

Mitigation

Rewrite calculateRaacRewards to perform the reward calculation against the tokens being withdrawn, not the entire balance

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

StabilityPool::withdraw can be called with partial amounts, but it always send the full rewards

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!