Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Reward Tracking Reset on Collateral Change in RAAC StabilityPool.sol

nitinaimshigh

Summary

In StabilityPool.sol, when collateral is removed or replaced, there’s a lack of tracking for previously accumulated rewards associated with that collateral.

This can lead to incorrect reward distributions when collateral types are sunset or updated.

Vulnerability Details

Scenario: Collateral Gets Replaced, Users Lose Rewards

Setup:

User Alice deposits 1,000 rToken into the RAAC Stability Pool.
The Stability Pool accumulates rewards in RAAC tokens over time.
The reward distribution relies on the global state variables tracking user deposits and market allocations.

Step 1: Alice Deposits into StabilityPool

Alice deposits 1,000 rToken, and based on the exchange rate, she receives deTokens.

rToken.safeTransferFrom(Alice, address(this), 1000);

uint256 deTokens = calculateDeCRVUSDAmount(1000);

deToken.mint(Alice, deTokens);

userDeposits[Alice] += 1000;

At this point, Alice starts earning rewards in RAAC tokens.

Step 2: RAAC Rewards Accumulate Over Time

As Alice keeps her deposit in the pool:

The _mintRAACRewards() function mints new RAAC tokens periodically.
Alice's rewards increase proportionally based on her deposit.

uint256 raacRewards = calculateRaacRewards(Alice);

Step 3: Admin Replaces Collateral (Bug Trigger)

The protocol decides to replace an old collateral type (e.g., rToken) with a new version.

supportedMarkets[oldCollateral] = false; // Disable old collateral

marketAllocations[oldCollateral] = 0; // Reset allocation

supportedMarkets[newCollateral] = true; // Enable new collateral

marketAllocations[newCollateral] = newAllocation;

Issue: The global tracking variables are reset:

marketAllocations[oldCollateral] is set to zero.
totalAllocation gets recalculated without tracking old rewards.
Any previously earned rewards that were still pending for Alice are lost.

Step 4: Alice Tries to Withdraw

When Alice withdraws, she expects to receive:

Her staked rToken (1,000).
Her accumulated RAAC rewards.

However, because the market allocations were reset, the pending rewards calculation fails.

uint256 raacRewards = calculateRaacRewards(Alice); // Returns 0 instead of her actual earnings

Alice receives fewer rewards than expected, or in extreme cases, nothing at all.

Impact

Users lose rewards when collateral is updated.

The last users to claim might get no rewards if others claim first.

Tools Used

Manual Review

Recommendations

Track rewards separately per collateral type rather than globally.

Introduce a grace period after collateral replacement so users can claim old rewards.

Update withdraw() logic to check if pending rewards exist from old collateral before resetting state.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.