Core Contracts

Description:

​

The `StabilityPool:deposit` function does not enforce a minimum deposit amount for earning rewards. This allows users to deposit an extremely small amount (e.g., 1 wei) and still be eligible for rewards.

​

The `StabilityPool:withdraw` function relies on `calculateRaacRewards` to determine the total rewards a user should receive. However, `calculateRaacRewards` calculates rewards based on the __entire contract balance__ rather than the user's actual deposit amount. As a result, a user who deposits only **1 wei** can receive a disproportionately large share of the rewards, as if they had deposited the full contract balance. This creates a severe imbalance and can be exploited to drain rewards unfairly.

​

Impact:

​

The user can receive excessive rewards by depositing only 1 wei or any minimal amount, as the reward calculation considers the entire contract balance instead of the user's actual deposit. This can lead to an unfair distribution of rewards, allowing users to exploit the system and drain the reward pool without making a significant contribution.

​

Proof of Concept:

​

1. User A deposits 1 wei into the StabilityPool.

2. Call `StabilityPool:calculateRaacRewards` to check how rewards are calculated.

3. Expected: Rewards should be proportional to the user's deposit.

4. Actual: The function considers the entire contract balance, not just the deposited amount.

5. User A withdraws rewards using `StabilityPool:withdraw`.

6. The user receives rewards as if they had deposited the full contract balance.

​

​

Recommended Mitigation:

​

- Use the user deposited amount to calculate rewards instead of the whole contract balance

​

​

- uint256 totalRewards = raacToken.balanceOf(address(this));

+ uint256 totalRewards = raacToken.balanceOf(user);