some users/last users can’t claim rewards as initial users will claim all rewards in the FeeCollector contract.
Summary
** when 1st time collected fees are distributed by calling the function distributeCollectedFees in the FeeCollector contract , all users will claim rewards(totalDistributed amount) based on their veRAACToken voting power. When 2nd time/next time collected fees are distributed by calling the function distributeCollectedFees in the FeeCollector contract, then initial users will claim all rewards(totalDistributed amount) but some users/last users can’t claim rewards in the FeeCollector contract.**
Vulnerability Details
1. Let’s assume, 1st time collected fees are distributed by calling the function distributeCollectedFees in the FeeCollector contract and totalDistributed is updated to 1000e18.
2. let’s assume, currently totalVotingPower i.e veRAACToken.getTotalVotingPower() = 1000e18 and there are 5 users who have voting power. Every user’s (those 5 users) VotingPower i.e veRAACToken.getVotingPower(user) is 200e18. When those users claims rewards, every user gets (200e18*1000e18)/1000e18 = 200e18. So the 1st time’s rewards are claimed.
3. 2nd time, again collected fees are distributed by calling the function distributeCollectedFees in the FeeCollector contract and totalDistributed is updated/increased to 2000e18 from 1000e18. There are still those 5 users who have voting power. Every user’s (those 5 users) VotingPower i.e veRAACToken.getVotingPower(user) is still 200e18. So the 1st user will get (200e18*2000e18)/1000e18 = 400e18, 2nd user will also get 400e18. Currently the totalDistributed amount exists in the FeeCollector = 2000e18 - 1000e18(as previously 1000e18 amounts are claimed by 5 users) = 1000e18. So the 1st 2 users claim 400e18+400e18 = 800e18 amount of 1000e18( currently 1000e18 totalDistributed amount of 2000e18 exists in the FeeCollector). Now the 3rd user can’t claim rewards as there is only 200e18 reward amount in the FeeCollector. 3rd,4th,5th users can’t claim rewards this time. Here every user( those 5 users) should get 200e18 amount of rewards.
\
Impact
**some users/last users can’t claim rewards as initial users will claim all rewards in the FeeCollector contract. **
Tools Used
manual review
Recommendations
update totalDistributed amount properly.
Lead Judging Commences
FeeCollector::claimRewards sets `userRewards[user]` to `totalDistributed` seriously grieving users from rewards
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.