Summary
The FeeCollector contract implements time-weighted reward distribution to veRAAC holders but it is not used when users claim rewards.
Vulnerability Details
From RAAC documentation:
Implement time-weighted reward distribution to veRAAC holders (claimable by address)
The contract implements a sophisticated time-weighted distribution mechanism:
Uses TimeWeightedAverage library for calculations
Distribution periods of 7 days
Rewards based on user's veRAAC voting power
Accounts for total voting power changes
To distribute the collected fees the DISTRIBUTOR_ROLE has to call distributeCollectedFees function.
https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/collectors/FeeCollector.sol#L180-L192
function distributeCollectedFees() external override nonReentrant whenNotPaused {
if (!hasRole(DISTRIBUTOR_ROLE, msg.sender)) revert UnauthorizedCaller();
uint256 totalFees = _calculateTotalFees();
if (totalFees == 0) revert InsufficientBalance();
uint256[4] memory shares = _calculateDistribution(totalFees);
_processDistributions(totalFees, shares);
delete collectedFees;
emit FeeDistributed(shares[0], shares[1], shares[2], shares[3]);
}
This function calls internal _processDistributions. Inside this function the distribution period is created which is responsible for rewards calculation.
https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/collectors/FeeCollector.sol#L401-L424
function _processDistributions(uint256 totalFees, uint256[4] memory shares) internal {
uint256 contractBalance = raacToken.balanceOf(address(this));
if (contractBalance < totalFees) revert InsufficientBalance();
if (shares[0] > 0) {
uint256 totalVeRAACSupply = veRAACToken.getTotalVotingPower();
if (totalVeRAACSupply > 0) {
TimeWeightedAverage.createPeriod(
distributionPeriod,
block.timestamp + 1,
7 days,
shares[0],
totalVeRAACSupply
);
totalDistributed += shares[0];
} else {
shares[3] += shares[0];
}
}
if (shares[1] > 0) raacToken.burn(shares[1]);
if (shares[2] > 0) raacToken.safeTransfer(repairFund, shares[2]);
if (shares[3] > 0) raacToken.safeTransfer(treasury, shares[3]);
}
However when users try to claim rewards the created period is completly unused and rewards are distributed based on user current voting power and total voting power.
function _calculatePendingRewards(address user) internal view returns (uint256) {
uint256 userVotingPower = veRAACToken.getVotingPower(user);
if (userVotingPower == 0) return 0;
uint256 totalVotingPower = veRAACToken.getTotalVotingPower();
if (totalVotingPower == 0) return 0;
uint256 share = (totalDistributed * userVotingPower) / totalVotingPower;
return share > userRewards[user] ? share - userRewards[user] : 0;
}
Impact
Rewards should be distributed based on created distribution periods however they are distributed based on users current voting power and total voting power.
Tools Used
Manual Review, Hardhat
Recommendations
Change the rewards calculation function so that rewards are based on implemented distribution periods.
