Malicious Users can cause Premature Reward Extraction for other Users to Manipulates veRAAC Yield Distribution
Summary
A malicious user can claim RAAC rewards ealier for other protocol users so as to manipulate the veRAAC yield distribution.
Vulnerability Details
Users accumulate RAAC token rewards when they hold veRAAC over a period of time. However, the claimRewards function in the FeeCollector contract allows for anyone to claim rewards on behalf of a person. This opens room for malicious users to claim on behalf of users holding veRAAC tokens.
POC
-
Alice, Bob, and Jack obtained the veRAAC tokens at the same time.
-
Bob knows he can claim for Alice and call
claimRewardspassing Alice address. -
Alice receives her RAAC rewards earlier than she wanted.
-
Bob and Jack will have more voting power than Alice and gather more RAAC rewards because they are still holding for long with larger accumulation.
OBSERVE how a user voting power is used to estimate the RAAC rewards accumulated over time.
Impact
Earlier claim of RAACtokens for other users will cause users to lose voting power.
Attacker whose rewards are yet unclaimed will gather more voting power and earn more from the yield generation.
Tools Used
Manual review.
Recommendations
Add check that only original users can claim rewards.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.