Core Contracts

Summary

The calculateRaacRewards function in the contract is vulnerable to a frontrunning attack where an attacker can manipulate the total deposit value just before an honest user withdraws their funds. This allows the attacker to reduce the reward allocation for the honest user who has staked for a longer duration. The attack exploits the fact that rewards are calculated based on the proportion of an individual’s deposit to the total deposit at the moment of withdrawal.

Vulnerability Details

The issue arises due to the way rewards are distributed in the calculateRaacRewards function:

• When a user calls withdraw(), their reward share is determined based on their deposit proportion at that moment.

• Since totalDeposits is used as the denominator, any increase in this value will reduce the fraction allocated to a specific user.

• An attacker can take advantage of this by frontrunning the withdraw() transaction of an honest user.

Attack Scenario

1. An honest user stakes a significant amount of tokens for an extended period and accrues rewards over time.

2. When the user attempts to withdraw, the contract first calls _update(), which updates the reward state before calculating the final reward share.

3. The attacker monitors pending transactions and detects a withdraw() transaction from a high-value staker.

4. The attacker immediately sends a deposit() transaction with a large amount of tokens and frontruns the honest user’s withdraw().

5. Since the attacker’s deposit increases totalDeposits, the proportion of rewards assigned to the honest user is reduced.

6. As a result, the honest user receives fewer rewards than they should, while the attacker can later withdraw their deposit with minimal loss.

Impact

Honest users who have staked for a long time receive fewer rewards than expected.

Tools Used

Manual Review

Recommendations

Incorporate a time factor into reward calculations to ensure that users who have staked longer are not affected by sudden changes in totalDeposits.