Boost Manipulation in `_applyBoost()` Allows Users to Artificially Increase Rewards
The _applyBoost() function calculates a user's reward multiplier based on their veRAACToken balance at the time of the function call, without maintaining a historical record of their balance over time. This creates an exploit where a user can temporarily increase their veRAACToken balance (e.g., by borrowing, receiving a transfer, or staking at the last moment), call getReward() to claim an artificially boosted reward, and then return or transfer the veRAACToken afterward. Because _applyBoost() does not verify if the user maintained their veRAACToken balance over a meaningful period, this allows an attacker to drain a disproportionate share of rewards at the expense of honest participants.
Example exploit scenario:
This results in the attacker stealing more rewards than fairly allocated, reducing incentives for other stakers.
Impact:
Unfair reward distribution, leading to loss of funds for honest users.
Mitigation:
Snapshot veRAACToken balances at staking or reward update events to ensure boost calculations use a historical balance rather than an easily manipulatable live balance.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.