Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Incorrect Reward Distribution Due to Missing Deduction in redeemFromMarket

thetripletail

Summary

In the redeemFromMarket function of the MarketCreator contract, the market.reward value is not reduced after distributing rewards to users. This leads to incorrect reward distribution, where each subsequent withdrawal calculates rewards based on the initial market.reward value instead of the remaining rewards. As a result, users may receive disproportionately large rewards, and the contract may over-distribute rewards, potentially depleting the contract's balance.

Vulnerability Details

function redeemFromMarket(uint256 marketId) external nonReentrant {

Market storage market = markets[marketId];

UserPosition storage position = userPositions[marketId][msg.sender];

require(position.exists, "No position found");

require(block.timestamp >= position.lockEndTime, "Lock duration has not passed");

uint256 amount = position.amount;

uint256 reward = calculateReward(marketId, amount);

market.totalDeposits -= amount; // Deducts user's deposit

// Missed reward change

delete userPositions[marketId][msg.sender];

market.quoteAsset.safeTransfer(msg.sender, amount);

raacToken.safeTransfer(msg.sender, reward);

emit Redeemed(marketId, msg.sender, amount, reward);

}

The key problem is that market.reward is not reduced after transferring the reward to the user. This means that the calculateReward function will always use the initial market.reward value, leading to incorrect calculations and potential over-distribution of rewards.

Impact

Incorrect Reward Distribution: Users who withdraw later may receive disproportionately large rewards, even if their contribution was minimal.
Over-Distribution of Rewards: The contract may distribute more rewards than intended, potentially depleting the contract's balance of raacToken.
Financial Loss: If the contract runs out of rewards, later users may not receive their fair share, leading to financial losses and loss of trust in the protocol.

Tools Used

Manual code review

Recommendations

To fix this issue, the market.reward value should be reduced by the distributed reward amount after each withdrawal.

market.totalDeposits -= amount; // Deducts user's deposit

market.reward -= reward; // Deducts distributed reward

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.