Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Users wishing to Withdraw RAAC Rewards from the Stability Pool for staking rTokens can only do so, if removing staked tokens from the pool

0xtimefliez

Description

Due to the lack of a withdraw reward function and the validAmount() modifier at StakingPool::withdraw users are forced to at least withdraw small amounts of rToken to receive their RAAC Rewards for supplying those.

Vulnerability Details

While this behavior might actually be intended as it is, it creates an unnecessary gas cost towards the users to receive their RAAC Rewards which creates a barrier to users being able to withdraw their rewards and participate in governance decisions.
I believe, in regards of a fair distribution, a withdraw function which allows users to simply withdraw their RAAC Rewards (without having to incur an additional transaction afterwards to restake claimed rTokens) would improve the UX and fair distribution, encouraging users to partake more actively in RAAC Staking

Impact

Since there is no actual loss of funds, just simply a psychological factor and unnecessary steps within the user experience, I would rate this as a Low or non-critical issue.
Low because it should be in the protocol interest that users stake their rTokens for liquidity and that active liquidity providers participate actively in governance decisions.

Tools Used

Manual Review

Recommended Fix

A possible and easy fix would be to remove the validAmount() modifier on the function and include an if-block as follows:

-function withdraw(uint256 deCRVUSDAmount) external nonReentrant whenNotPaused validAmount(deCRVUSDAmount) {

+function withdraw(uint256 deCRVUSDAmount) external nonReentrant whenNotPaused {

_update();

+ if ( deCRVUSDAmount == 0 ) {

+ uint256 rewards = calculateRaacRewards(msg.sender);

+ if (rewards > 0) {

+ raacToken.safeTransfer(msg.sender, rewards);

+ return;

+ } else {

+ revert();

+ }

if (deToken.balanceOf(msg.sender) < deCRVUSDAmount) revert InsufficientBalance();

uint256 rcrvUSDAmount = calculateRcrvUSDAmount(deCRVUSDAmount);

uint256 raacRewards = calculateRaacRewards(msg.sender);

if (userDeposits[msg.sender] < rcrvUSDAmount) revert InsufficientBalance();

userDeposits[msg.sender] -= rcrvUSDAmount;

if (userDeposits[msg.sender] == 0) {

delete userDeposits[msg.sender];

}

deToken.burn(msg.sender, deCRVUSDAmount);

rToken.safeTransfer(msg.sender, rcrvUSDAmount);

if (raacRewards > 0) {

raacToken.safeTransfer(msg.sender, raacRewards);

}

emit Withdraw(msg.sender, rcrvUSDAmount, deCRVUSDAmount, raacRewards);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!