StabilityPool: user can chain deposit/withdraw to get all RAAC rewards
Summary
RAACrewards from StabilityPool are generated over time. RAACRewards is distributed every time a user withdraw() from the StabilityPool. Rewards are calculated in % of the share of user RAACToken, and not linked to how much a user withdraws.
A user can deposit a big amount of RAACToken and chain call withdraw() with a small amount and will always get approximately the same amount of rewards, depleting the reserve of RAACToken and taking from other users' rewards.
A user can also chain call deposit() & withdraw() but it will cost a bit more regarding gas than the previous technique
Vulnerability Details
There is no tracking of how many RAAC rewards a user already had, and the logic is not sufficient enough to protect the rewards pool. A user can withdraw all rewards by chain-calling withdraw() with a small amount or deposit() & withdraw().
RAACRewards pool is 100
For simplicity,
totalDeposits = 1000anduserDeposit = 100, a user has 10% of the poolUser withdraw one token per one token
Impact
A user can deplete the RAACRewardsPool and steal all rewards from other stacking users.
Tools Used
Manual
Recommendations
Compute the rewards to what is withdrawn.
Add timelock on deposit/withdraw
Change how rewards are sent and avoid linking them to withdrawal.
Rewards should be linked to the time and amount of assets locked in the pool, not triggered randomly on a withdraw()
Lead Judging Commences
StabilityPool::calculateRaacRewards is vulnerable to just in time deposits
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.