Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Reward sniping in `StabilityPool`

falendar

Summary

A malicious user can steal a large portion of accumulated RAAC rewards in the StabilityPool contract through a quick deposit and withdrawal, unfairly taking rewards from long-term depositors.

Vulnerability Details

In the StabilityPool contract, rewards are calculated based on the current token balance:

function calculateRaacRewards(address user) public view returns (uint256) {
uint256 userDeposit = userDeposits[user];
uint256 totalDeposits = deToken.totalSupply();
uint256 totalRewards = raacToken.balanceOf(address(this));
if (totalDeposits < 1e6) return 0;
return (totalRewards * userDeposit) / totalDeposits;
}

Attack Scenario:

Initial State:

  • StabilityPool has accumulated 1000 RAAC over a month

  • Alice has 100 tokens deposited for the whole month

  • Total deposits = 100 tokens

Attack steps:

  1. Bob deposits 2000 tokens

  2. Bob immediately calls withdraw

  3. Bob receives ~950 RAAC (1000 * 2000 / 2100)

  4. Only ~50 RAAC left in the pool, which can be sniped by someone else

Impact

High: Significant portion of protocol rewards can be captured by attackers rather than legitimate users. This disincentivizes long-term deposits.

Recommendations

Minting of RAAC accumulates linearly, rewards can be sniped instantly. To prevent reward sniping, consider implementing a time-based reward accrual system where users earn their share of newly minted rewards continuously based on deposit duration, rather than having instant access to the entire pool of accumulated rewards.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

StabilityPool::calculateRaacRewards is vulnerable to just in time deposits

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!