Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Flashloan Exploit in RAAC Reward Distribution Leading to Theft of Rewards in StabilityPool Contract

0x23r0

Summary

The StabilityPool contract is vulnerable to a flashloan attack where an attacker can temporarily inflate their deposit to claim a disproportionate share of RAAC rewards. By leveraging flashloans to deposit and withdraw within a single transaction, the attacker can drain the RAAC tokens from the pool, undermining the reward system and causing financial loss to legitimate users.

Vulnerability Details

The vulnerability stems from how RAAC rewards are calculated and distributed in the StabilityPool. The calculateRaacRewards function computes a user's share based on their current deposit relative to the total deToken supply. This allows an attacker to manipulate their share by depositing a large amount via a flashloan, claiming a majority of the rewards, and withdrawing immediately, all within one transaction.

Attack Path

Initial State:
- StabilityPool has 100 RAAC tokens.
- Legitimate users have deposited 100 rTokens, resulting in 100 deTokens (1:1 ratio).
Attack Steps:
- Step 1: Attacker flashloans 10,000 crvUSD.
- Step 2: Deposits 10,000 crvUSD into LendingPool, receiving 10,000 rTokens.
- Step 3: Deposits 10,000 rTokens into StabilityPool, minting 10,000 deTokens. Now, totalDeposits = 10,100 deTokens.
- Step 4: Calls withdraw(10,000 deTokens), triggering reward calculation:
  raacRewards = (100 RAAC * 10,000 rTokens) / 10,100 deTokens ≈ 99 RAAC
- Step 5: Withdraws 10,000 rTokens, burns deTokens, and claims 99 RAAC.
- Step 6: Repays flashloan, keeping 99 RAAC as profit.

Result: The attacker extracts 99% of the RAAC rewards with minimal cost, leaving legitimate users with nearly nothing.

Impact

Attackers can drain the StabilityPool of RAAC tokens, depriving legitimate users of their rewards.

Tools Used

Manual Review

Recommendations

Implement a reward mechanism that considers the duration of deposits (e.g., using snapshots of user balances over time) and introduce a cooldown period before users can withdraw or claim rewards, deterring flashloan attacks.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

StabilityPool::calculateRaacRewards is vulnerable to just in time deposits

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!