Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Unclaimed rewards in `StabilityPool` can be stolen

OpaBatyo

Summary

There are no safeguards to prevent a whale depositor to sandwich rewards and claim a share of unclaimed rewards.

Details

The current implementation of calculateRaacRewards is prone to sandwiches and theft of unclaimed yield as it calculates totalRewards using the live balance of the stability pool multiplied by the % of user's shares against all shares.

function calculateRaacRewards(address user) public view returns (uint256) {
uint256 userDeposit = userDeposits[user];
uint256 totalDeposits = deToken.totalSupply();
uint256 totalRewards = raacToken.balanceOf(address(this));
if (totalDeposits < 1e6) return 0;
return (totalRewards * userDeposit) / totalDeposits;
}

Whenever a large amount of rewards is expected to be added or there are unclaimed rewards attackers can do the following:

  1. Deposit a large amount of tokens

  2. New rewards are minted and added to the contract alongside the already existing balance

  3. Withdraw entire balance

This way the reward calculation involves the entire balanceOf which is a mix of unclaimed yield and newly added one. User will claim a share of the contract's balance which does not belong to him.

Impact

Theft of yield

Mitigation

Do not use live balanceOf to determine reward amounts.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

StabilityPool::calculateRaacRewards is vulnerable to just in time deposits

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!