Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Incorrect Reward Accounting in claimRewards

0x68

Summary

The claimRewards function in FeeCollector.sol contains a critical vulnerability in how it tracks user rewards. The issue arises from incorrect state updates, specifically where userRewards[user] is reset to totalDistributed, leading to incorrect reward calculations. This can Potentially set a user’s claimable rewards to zero for the next claim, resulting in lost earnings.

Vulnerability Details

function claimRewards(address user) external override nonReentrant whenNotPaused returns (uint256) {
// ...existing code...
// Current problematic implementation
userRewards[user] = totalDistributed; // @audit-issue Incorrect reward tracking
// Transfer rewards
raacToken.safeTransfer(user, pendingReward);
// ...
}

The issue arises because:

  1. totalDistributed is a global accumulator for all rewards.

  2. Setting userRewards[user] = totalDistributed doesn't accurately track individual historical claims.

  3. lastClaimTime tracking is missing entirely

Impact

  1. Potential double-claiming of rewards.

  2. Incorrect reward calculations for users.

  3. Loss of claim history tracking.

  4. Possible economic damage to the protocol.

Tools Used

Manual code review
Static analysis

Recommendations

function claimRewards(address user) external override nonReentrant whenNotPaused returns (uint256) {
if (user == address(0)) revert InvalidAddress();
uint256 pendingReward = _calculatePendingRewards(user);
if (pendingReward == 0) revert InsufficientBalance();
// Increment user rewards instead of setting to totalDistributed
+ userRewards[user] += pendingReward;
+ _updateLastClaimTime(user);
- userRewards[user] = totalDistributed;
// Transfer rewards
raacToken.safeTransfer(user, pendingReward);
emit RewardClaimed(user, pendingReward);
return pendingReward;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

FeeCollector::claimRewards sets `userRewards[user]` to `totalDistributed` seriously grieving users from rewards

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.