Flawed formula in calculateRaacRewards leads to manipulation of RaacRewards
Summary
The reward distribution mechanism allows users to withdraw a very small amount of R tokens and receive disproportionately high RAAC rewards, This happens due to rewards accounting for full balance of the user rather then the amount the user is withdrawing, This enables users to repeatedly exploit the system by performing micro withdrawals, leading to the depletion of the RAAC reward pool.
Vulnerability Details
the problem here is its using uint256 userDeposit = userDeposits[user];
which takes account of the whole balance of the user and calculates rewards on the basis of the whole user balance rather then the amount the user is withdrawing
example scenario assume: User has 1,000 R tokens deposited
Total deToken supply = 50,000 deTokens
RAAC reward pool contains 25,000 RAAC tokens
Attack steps: User withdraws 1 R token:
userDeposit = 1,000 (full balance used for calculation) totalDeposits (deToken supply) = 50,000 totalRewards = 25,000 RAAC Rewards = (25,000 * 1,000) / 50,000 = 500 RAAC
User can repeat this process multiple times: Each tiny withdrawal grants rewards based on full 1,000 R token balance User can withdraw 1 R token repeatedly, each time claiming rewards calculated on 1,000 R balance(-1 r token everytime but the user can even lower this value this example is just for context) This drains the reward pool unfairly
Impact
Users can extract disproportionate rewards through multiple small withdrawals
RAAC reward pool will be drained quickly
Unfair distribution of rewards
Tools Used
Manual audit
Recommendations
Lead Judging Commences
StabilityPool::withdraw can be called with partial amounts, but it always send the full rewards
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.