Core Contracts

Summary

The FeeCollector contract contains a critical flaw in its reward distribution mechanism that enables newly staked veRAACToken holders to claim a disproportionate share of historical rewards. The vulnerability stems from improper tracking of user participation periods, allowing users to benefit from rewards accumulated before their stake existed. This defect fundamentally breaks the time-weighted reward distribution principle and jeopardizes the protocol's incentive structure.

Vulnerability Details

When the distributeCollectedFees function is called, it processes the distribution of collected fees by invoking the _processDistributions function. If shares[0] > 0 (i.e., it is not zero), its value is added to the total distributed amount using totalDistributed += shares[0]. After that, veRaacToken holders can call the claimRewards function to claim their accumulated rewards. The issue arises when numerous distributions have occurred, and a new user mints veRaacTokens. This new user can then call the claimRewards function, which calculates rewards based on the _calculatePendingRewards function. The calculation uses the formula:

Faulty Reward Calculation Logic

The contract uses a cumulative totalDistributed counter that aggregates all historical veRAAC allocations:

Exploitation Scenario

1. Protocol Operation:

   • 10 fee distributions occur over 6 months (totalDistributed = 100,000 RAAC)

2. Attacker Action:

   • Mints veRAAC tokens representing 1% of total voting power

   • Immediately calls claimRewards()

3. Illegitimate Gain:

   share = 100,000 * 1% = 1,000 RAAC

   userRewards[newUser] = 0

   Payout = 1,000 - 0 = 1,000 RAAC

   The attacker receives rewards from all prior distributions despite zero historical participation.

Impact

New stakers of veRAACTokens drain rewards.

Tools Used

Manual Review

Recommendations

Implement a time-weighted checkpoint system that tracks rewards per veRAAC voting power unit over time. Replace the global totalDistributed with per-epoch reward snapshots, and calculate user entitlements based on their staking duration and voting power during each epoch. This ensures users can only claim rewards accumulated during their active participation periods.