RAAC Reward System Vulnerable to Deposit-Withdrawal Manipulation Attacks
Summary
The StabilityPool contract allows instant withdawals after deposits. Users can game the system by strategically depositing and withdrawing within the same block especially using flash loans. This exploit allows attackers to artificially inflate their reward share during withdrawals by taking advantage of how calculateRaacRewards handles rewards. This leads to unfair distribution and depletion of the reward pool.
Vulnerability Details
The _mintRAACRewards function is called during deposit and withdraw which triggers raacMinter.tick(). This mints RAAC tokens to the contract based on the time elapsed since the last update.
If a user deposits and withdraws in the same block , they can still claim a share of the newly minted RAAC rewards without holding their deposit for any meaningful duration.
The calculateRaacRewards function which is called inside withdraw function calculates rewards based on the user's share of the total deposits (userDeposit / totalDeposits) and the current balance of raacToken in the contract.
A flash loan can be used to temporarily inflate the user's deposit share, allowing them to claim a disproportionate amount of rewards.
Since both userDeposit and totalDeposits increase proportionally , the attacker’s reward share remains significant.
Impact
The attacker can drain a significant portion of the RAAC rewards from the contract leaving legitimate users with fewer or no rewards.
Tools Used
Manual review
Recommendations
Require users to stake their deposits for a minimum period (e.g., 1 day) before they can withdraw and claim rewards.
Lead Judging Commences
StabilityPool::calculateRaacRewards is vulnerable to just in time deposits
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.