Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Missing veRAACShare (shares[0]) Comparison Against veRAAC Supply in _processDistributions::FeeCollector.sol

oluwaseyisekoni

Summary

The fee distribution function _processDistributions is responsible for allocating a portion of collected fees to veRAAC token holders. Specifically, a portion of the fees is allocated to the variable shares[0], which represents the fee share intended for veRAAC holders. However, the function does not verify whether the allocated shares[0] is appropriate relative to the total veRAAC voting power, obtained via veRAACToken.getTotalVotingPower(). This missing comparison may lead to an improper fee allocation if the calculated shares[0] exceeds the available veRAAC supply, or if the available supply is very low.

Vulnerability Details

function _processDistributions(uint256 totalFees, uint256[4] memory shares) internal {
uint256 contractBalance = raacToken.balanceOf(address(this));
if (contractBalance < totalFees) revert InsufficientBalance();
if (shares[0] > 0) {
uint256 totalVeRAACSupply = veRAACToken.getTotalVotingPower();
if (totalVeRAACSupply > 0) {
TimeWeightedAverage.createPeriod(
distributionPeriod,
block.timestamp + 1,
7 days,
@> shares[0], //@q the veRAACToken balance is not compared to the shares[0],
totalVeRAACSupply
);
totalDistributed += shares[0];
} else {
shares[3] += shares[0]; // Add to treasury if no veRAAC holders
}
}
if (shares[1] > 0) raacToken.burn(shares[1]);
if (shares[2] > 0) raacToken.safeTransfer(repairFund, shares[2]);
if (shares[3] > 0) raacToken.safeTransfer(treasury, shares[3]);
}

_processDistributionsonly checks if totalVeRAACSupply > 0but does not check if the value of shares[0] > totalVeRAACSupply

Impact

Misaligned Economic Incentives:

  • Over-Allocation: Without comparing shares[0] against the total veRAAC supply, the system might allocate more fees than can be reasonably distributed among veRAAC holders. This could lead to an artificially high per-token reward when the available voting power is low.

Tools Used

Manual review

Recommendations

Implement a Comparison Check: Before processing fee distribution for veRAAC holders (shares[0]), compare the calculated allocation to the total veRAAC voting power.

function _processDistributions(uint256 totalFees, uint256[4] memory shares) internal {
uint256 contractBalance = raacToken.balanceOf(address(this));
if (contractBalance < totalFees) revert InsufficientBalance();
if (shares[0] > 0) {
uint256 totalVeRAACSupply = veRAACToken.getTotalVotingPower();
if (totalVeRAACSupply > 0) {
+ if (shares[0] > totalVeRAACSupply) {
+ shares[0] = totalVeRAACSupply;
+ }
TimeWeightedAverage.createPeriod(
distributionPeriod,
block.timestamp + 1,
7 days,
shares[0],
totalVeRAACSupply
);
totalDistributed += shares[0];
} else {
/
shares[3] += shares[0]; // Add to treasury if no veRAAC holders
}
}
if (shares[1] > 0) raacToken.burn(shares[1]);
if (shares[2] > 0) raacToken.safeTransfer(repairFund, shares[2]);
if (shares[3] > 0) raacToken.safeTransfer(treasury, shares[3]);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.