Core Contracts

Relevant GitHub Links

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/collectors/FeeCollector.sol#L479-L487

Summary

The FeeCollector contract calculates user rewards based on their current voting power rather than historical voting power at the time of fee distribution, leading to unfair reward distribution and potential manipulation.

Vulnerability Details

In FeeCollector.sol, the _calculatePendingRewards function uses current voting power ratios to determine user rewards for all historical fee distributions:

The issue arises because:

1. totalDistributed accumulates all historical fee distributions and is never reset

2. Rewards calculation uses current voting power ratio against this cumulative value

3. No tracking of historical voting power when fees were actually distributed

Impact

1. Users who acquire veRAACToken later unfairly receive rewards from distributions that occurred before they held tokens

2. Users who had more veRAACToken in the past but reduced their position get fewer rewards than they should

3. Can be manipulated by timing veRAACToken acquisitions just before reward claims

4. Incorrect economic model that doesn't properly incentivize long-term holding

Tools Used

Manual Review

Recommendations

Implement standard rewards distribution tracking similar to widely used and audited staking reward systems (like Synthetix's StakingRewards). The key improvements should be:

1. Track rewards per token instead of cumulative total distributed rewards

2. Store user checkpoints that record when users modify their veRAACToken positions

3. Calculate rewards based on the actual period users held their tokens

4. Update user reward checkpoints whenever they:

   • Claim rewards

   • Modify their veRAACToken balance

   • Interact with rewards in any way

This ensures users only receive rewards for periods they actually held tokens and prevents manipulation through timing of token acquisitions.