Core Contracts

Summary

The FeeCollector::claimRewards() function allows new veRAAC holders to claim rewards that should belong to historical holders, due to using current voting power instead of time-weighted power for calculations.

Vulnerability Details

The FeeCollector::claimRewards function calculates rewards based on a user's current voting power relative to total voting power, without considering when they acquired their veRAAC tokens. This means new holders can immediately claim a portion of accumulated rewards that should belong to users who held veRAAC during the actual fee collection period.

The root cause is in the _calculatePendingRewards() function:

The calculation uses current voting power ratios rather than historical voting power during the fee collection period. This creates an unfair distribution where new holders can claim rewards they didn't earn.

Proof of Concept

** Note this example doesn't take into account the decaying voting power over time, so the issue is shown more clear.**

1. Alice holds 100 veRAAC tokens for 30 days while fees accumulate

2. Protocol collects 1000 RAAC tokens in fees during this period

3. Bob locks 100 veRAAC tokens after the fee collection

4. Bob can immediately claim ~500 RAAC tokens (50% of rewards) despite not holding during collection

5. Alice only receives 500 RAAC instead of the full 1000 she should get for being the sole holder during collection

Impact

• Unfair distribution of protocol fees

• Early veRAAC holders receive less rewards than they should

• Potential for gaming the system by timing veRAAC mints with reward distributions

Recommendations

1. Implement time-weighted reward tracking.

2. Implement a checkpoint system that tracks historical balances and calculates rewards based on average balance during the distribution period.