Core Contracts

The FeeCollector contract's reward distribution mechanism contains a critical vulnerability in its reward calculation logic where rewards are determined based on current voting power rather than historical voting power at distribution time. The issue lies in the interaction between distributeCollectedFees() which accumulates global rewards via totalDistributed += shares[0] and _calculatePendingRewards() which calculates user rewards using current voting power: uint256 share = (totalDistributed * userVotingPower) / totalVotingPower. This allows malicious users to temporarily increase their veRAAC voting power immediately before claiming rewards, calculate their share based on this inflated voting power against all historical distributions, claim an outsized portion of rewards, and then reduce their voting power afterward. The core issue stems from the contract using point-in-time voting power calculations against cumulative historical rewards, rather than tracking reward rates per voting power unit at each distribution event.

Impact:

Malicious users can extract more rewards than they are rightfully entitled to, directly reducing the reward share of other legitimate veRAAC holders and compromising the economic incentives of the entire protocol.

Mitigation:

Implement a checkpoint system that tracks historical voting power snapshots at each distribution event and calculates rewards based on the user's actual voting power during each distribution period rather than using current voting power against cumulative totals.