Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Stability pool reward can be MEVed

pyro

Summary

Rewards are not based on time, but on balance, meaning a user can just join the stability pool, claim a lot of rewards and leave

Vulnerability Details

When we calculate rewards we don't take time or prev. generated rewards into account, but instead we use the user balance and totalSupply to calculate them.

https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/pools/StabilityPool/StabilityPool.sol#L251-L259

function calculateRaacRewards(address user) public view returns (uint256) {
uint256 userDeposit = userDeposits[user];
uint256 totalDeposits = deToken.totalSupply();
uint256 totalRewards = raacToken.balanceOf(address(this));
if (totalDeposits < 1e6) return 0;
return (totalRewards * userDeposit) / totalDeposits;
}

This means that a user can deposit a huge amount and then withdraw, claiming most of the rewards. This can be repeated multiple times in a row.

Example:

  1. No one has withdrawn in 1 day (so no rewards were claimed)

  2. MEV bot sees the opportunity

  3. it deposits a lot of rTokens to get itself some deTokens

  4. Withdraws to claim rewards for his percentage of the pool

  5. Repeats until the amount of rewards are not worth the effort

Impact

Rewards can be MEVed
Users can exploit the reward mechanism

Tools Used

Manual review

Recommendations

Redo the math and make sure to take into account the time at which users joined the pool.

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

StabilityPool::calculateRaacRewards is vulnerable to just in time deposits

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.