RAAC Reward Manipulation in Stability Pool
Summary
The deposit and withdraw functions in the contract allow users to manipulate RAAC rewards by strategically timing their deposits and withdrawals around the inflows of RAAC tokens. Since the system does not track deposit durations or time-based reward accumulation, users can exploit this by depositing large amounts of tokens right before claiming rewards and withdrawing immediately after receiving rewards, disproportionately benefiting from the system.
Vulnerability Details
The calculateRaacRewards function determines a user's RAAC reward based on their deposit size at the time of calculation, without considering how long the user has been staked in the pool.
A user can:
Monitor the RAAC token balance of the contract.
Deposit a large amount just before reward distribution.
Withdraw their entire stake immediately after receiving rewards.
The contract assumes rewards are fairly distributed among depositors, but it does not track how long a deposit has been active.
Impact
Users with large capital can manipulate the system to gain an unfair advantage over long-term depositors.
Users who have been in the pool longer will see their rewards reduced by opportunistic depositors who temporarily inflate the deposit pool to claim a large share of the rewards.
Since there is no time-based vesting for rewards, the pool can be rapidly drained by malicious actors executing repeated deposit/withdraw cycles.
Tools Used
Manual Review
Recommendations
Modify calculateRaacRewards to consider the duration of staking when distributing rewards.
Lead Judging Commences
StabilityPool::calculateRaacRewards is vulnerable to just in time deposits
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.