Reward can be stolen from Stability Pool by Malicious User
Summary
Vulnerability Details
To uderstand this lets a look ovearall Deposit and Withdraw work-flow in Stability pool
DEPOSIT
RAACReward minted to contract
RToken transfered from User to Contract
corresponding deToken minted to User
User's deposit mapping get updated
RAACReward Minted to contract
WITHDRAW
RAACReward minted to contract
Corresponding RToken amount calculated
RAACReward for User calculated
Some sanity check, state update, then deToken burned
Corresponding RToken get transfered
Then if any reward for user present, Reward token transfered to caller
Here Buggy part is how reward is calculated
So any user can track how my reward is accumulated in StabilityPool
Then a Malicious User make flashloan / deposit huge amount of RToken to stability pool, then in next transaction call withdraw
As RaacReward calculated as following formula and Malicious User's Deposit balance is significantly high in pool, so he could take out a large chuck of rewards from he pool
Malicious User keep repeating this step when Stability pool accumulate reward
Impact
Genuine Users will loss their Rewards.
Tools Used
manual review
Recommendations
Implement something like timelock, or more appropriately indexing method which increase linearly with time
Lead Judging Commences
StabilityPool::calculateRaacRewards is vulnerable to just in time deposits
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.