Core Contracts

Summary

Staking token isn't defined explicitly, it could be a fee-on-transfer or rebase token.

Vulnerability Details

The BaseGauge contract is a core component of the RAAC protocol, responsible for managing reward distribution and boost calculations for users staking tokens. It includes functionalities such as reward distribution with boost multipliers, time-weighted average tracking, and access control. The contract allows users to stake tokens using the stake() function, which transfers tokens from the user's address to the contract.

The stake() function uses the safeTransferFrom() method from the SafeERC20 library to transfer tokens. However, there is no explicit check to confirm that the exact amount of tokens specified by the user is transferred without any deductions. This could lead to a situation where the staking token contract deducts fees during the transfer, resulting in the user staking fewer tokens than intended. This discrepancy can affect the user's reward calculations and overall staking experience.

The highest impact scenario occurs when a user stakes tokens, expecting to receive rewards based on the full amount staked. If the staking token contract deducts fees during the transfer, the user's staked balance in the BaseGauge contract will be lower than expected, leading to reduced rewards and potential dissatisfaction.

Impact

• It can lead to discrepancies in the user's staked balance and reward calculations.

• It can result in reduced rewards and potential dissatisfaction among users, undermining the integrity of the staking mechanism.

Tools Used

Manual Review

Recommendations

To ensure that the exact amount of tokens is transferred during staking, implement a balance check before and after the transfer to confirm that no fees are deducted. This can be achieved by comparing the contract's balance of the staking token before and after the safeTransferFrom() call: