Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

RAACMinter's pause allows manipulation of lastUpdateBlock leading to lost emissions

0xterrah

Relevant GitHub Links

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/minters/RAACMinter/RAACMinter.sol#L94

Summary

The pause() function in RAACMinter.sol allows manipulation of lastUpdateBlock which can lead to lost emissions by artificially shortening the time period for emission calculations.

Vulnerability Details

The pause() function allows setting lastUpdateBlock to any historical value. This means when the contract is unpaused, emission calculations will use this manipulated value instead of the actual last update block.

function pause(bool updateLastBlock, uint256 newLastUpdateBlock) external onlyRole(PAUSER_ROLE) {

_pause();

if (updateLastBlock) {

_setLastUpdateBlock(newLastUpdateBlock); // @audit can be set to recent block

}

This allows skipping emission calculations for blocks between the actual last update and the artificially set lastUpdateBlock.

Example scenario:

Block 100: lastUpdateBlock = 100

Block 150: pause() called with newLastUpdateBlock = 140

Block 200: unpause() called

Result: Emissions calculated for 60 blocks (200-140)

Should be: Emissions for 100 blocks (200-100)

Impact

Loss of emissions for skipped blocks, leading to reduced rewards for protocol participants.

Tools Used

Manual review

Recommendations

Remove the ability to set lastUpdateBlock during pause:

function pause() external onlyRole(PAUSER_ROLE) {

_pause();

}

If block tracking during pause is needed, implement a separate accounting system that preserves emission calculations for all blocks.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!