Core Contracts

Summary

Malicious users can steal RAAC rewards through the FeeCollector contract. With the claimRewards, users who hold veRAAC tokens can claim RAAC rewards from the FeeCollector. Due to the absence of a coolDown period in the claimRewards function, attackers can call the increase lock to add more RAAC token and call claimRewards some seconds later to claim RAAC tokens.

Vulnerability Details

• Attacker acquired 500 RAAC token to lock in the veRAACToken contract for a duration of two years.

• He gets 250 veRAAC token. One year later he would have accumulated enough voting right. see

  => (500*1e18) * 2 years / 4 years

  => 500000000000000000000 * 730 days / 1460 days

  => 500000000000000000000 * 1 / 2

  => 250000000000000000000

• Assume that protocol has distributed massive collected fees with the distributeCollectedFeesto update totalDistributed variable in L415.
  https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/collectors/FeeCollector.sol#L415

• Attacker calls the increase function with 100 RAAC in veRAACToken contract to increase his amount to 600 RAAC token.

• Notice how this increased RAAC token will boost the pendingReward of the attacker. see _calculatePendingRewards(user).

• Attacker calls the claimRewards after 10 days, or enough days to generate RAAC rewards, resend tokens into veRAAC contract, and claim again.

Impact

• Protocol loses distributed RAAC tokens generated from fee collection to attackers.

• Some users will claim more rewards than others.

Tools Used

Manaual review.

Recommendations

Add a cooldown period in the claimRewards function. Currently, in the contract, there is a function called _updateLastClaimTime which can be integrated to fix cool downs.