Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

[H] Incorrect Reward Assignment in `claimRewards` Function in `FeeCollector`

Singularity

Summary

The claimRewards function in the FeeCollector contract incorrectly assigns the totalDistributed value to the userRewards mapping for a single user. This is incorrect and can lead to inaccurate reward calculations for other users.

Vulnerability Details

The current claimRewards function in the FeeCollector contract is:

function claimRewards(address user) external override nonReentrant whenNotPaused returns (uint256) {
if (user == address(0)) revert InvalidAddress();
uint256 pendingReward = _calculatePendingRewards(user);
if (pendingReward == 0) revert InsufficientBalance();
// Reset user rewards before transfer
>> userRewards[user] = totalDistributed;
// Transfer rewards
raacToken.safeTransfer(user, pendingReward);
emit RewardClaimed(user, pendingReward);
return pendingReward;
}

The line userRewards[user] = totalDistributed; incorrectly assigns the totalDistributed value to the userRewards mapping for a single user.

Impact

When the user tries to claim rewards again for the next batch, the _calculatePendingRewards function calculates the remaining amount of shares the user has to claim. If userRewards is greater than share, the user gets zero rewards.

The _calculatePendingRewards function is:

function _calculatePendingRewards(address user) internal view returns (uint256) {
uint256 userVotingPower = veRAACToken.getVotingPower(user);
if (userVotingPower == 0) return 0;
uint256 totalVotingPower = veRAACToken.getTotalVotingPower();
if (totalVotingPower == 0) return 0;
uint256 share = (totalDistributed * userVotingPower) / totalVotingPower;
return share > userRewards[user] ? share - userRewards[user] : 0;
}

If userRewards[user] is greater than share, the user gets zero rewards.

Link to the issue:

  1. https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/collectors/FeeCollector.sol#L206

Tools Used

Manual code review.

Recommendations

Update the claimRewards function to correctly assign the pending reward to the userRewards mapping for the user. The corrected function should be:

function claimRewards(address user) external override nonReentrant whenNotPaused returns (uint256) {
if (user == address(0)) revert InvalidAddress();
uint256 pendingReward = _calculatePendingRewards(user);
if (pendingReward == 0) revert InsufficientBalance();
// Reset user rewards before transfer
>> userRewards[user] += pendingReward;
// Transfer rewards
raacToken.safeTransfer(user, pendingReward);
emit RewardClaimed(user, pendingReward);
return pendingReward;
}

This ensures that the rewards are correctly assigned to the user without affecting the reward calculations for other users.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

FeeCollector::claimRewards sets `userRewards[user]` to `totalDistributed` seriously grieving users from rewards

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!