malicious actor can frontrun depositRAACFromPool and steal reward tokens
Vulnerability Details
a user can frontrun depositRAACfrompool to steal reward tokens the vulnerability stems from the fact that the depositRAACfrom pool increases the numerator of the reward calculation
The calculateRaacRewards function calculates user rewards as
Where
totalRewards = raacToken.balanceOf(address(this)).
attack scenario
1. Attacker monitors for depositRAACFromPool transactions in the mempool.
2. Front-runs it with a deposit to increase their userDeposit share.
3. After the RAAC deposit, the attacker’s reward share is inflated.
Example:
Initial State:
1.totalDeposits (deToken supply): 100
2.totalRewards (RAAC balance): 100
3.attacker sees a depositRAACFromPool of 100 RAAC in the mempool
4.Attacker Front-Runs:
5.Deposits 50 rToken → Mints 50 deToken.
6.New totalDeposits: 150.
7.RAAC Deposit Executes:
8.depositRAACFromPool adds 100 RAAC.
9.New totalRewards: 200.
10.attacker claims
Rewards = (50 / 150) * 200 = 66.67 RAAC
Normal Deposit Without RAAC (Baseline)
Steps:
Initial State:
totalDeposits: 100
totalRewards: 100
Attacker Deposits Normally:
Deposits 50 rToken → Mints 50 deToken.
New totalDeposits: 150.
No RAAC Deposit Occurs:
totalRewards remains 100
userClaims Rewards:
Rewards = (50 / 150) * 100 = 33.33 RAAC
Impact
theft of rewards by frontrunning a deposit of raac transfer
Recommendations
the deposit raac from stabilitypool should account for a scenario where deposit of raac increases the numerator of the raac rewards distribution
Lead Judging Commences
StabilityPool::calculateRaacRewards is vulnerable to just in time deposits
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.