veRAACToken holders can claim rewards fewer than expected in FeeCollector
Summary
veRAACToken holders can claim rewards fewer than expected in FeeCollector.
Vulnerability Details
veRAACToken holders claim rewards by FeeCollector#claimRewards()and actual rewards are calculated in _calculatePendingRewards().
As seen above, shares are merely depends on owning veRAACTokens.
This results in newly locked users unfairly benefiting from the rewards pool, while older users receive fewer rewards than expected. This issue arises once when newly locked users exist, and the reason is that totalDistributed is updated before user rewards are calculated, allowing new users to manipulate the system by locking tokens at the right time.
Impact
A user can lock tokens right after a distribution event, gaining instant access to rewards they did not contribute to. This dilutes rewards for long-term veRAACToken holders.
Tools Used
manual
Recommendations
Fix is not trivial.
One approach is that modify the reward calculation to snapshot the total veRAACToken supply before distribution, ensuring only existing holders benefit.
Lead Judging Commences
Time-Weighted Average Logic is Not Applied to Reward Distribution in `FeeCollector`
Time-Weighted Average Logic is Not Applied to Reward Distribution in `FeeCollector`
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.