Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Lack of Contract Balance Check Before Making Reward Transfer in `FeeCollector::claimRewards` function

auditbyte

Summary

The FeeCollector::claimRewards function does not check whether the contract has a sufficient balance of raacToken before attempting a transfer. If the contract's balance is lower than the pendingReward, the transaction will fail, preventing users from claiming their rewards.

Vulnerability Details

The function assumes that the contract always has enough tokens to fulfill reward claims. However, if the contract's balance is insufficient due to mismanagement, external withdrawals, or untracked transfers, the safeTransfer call may fail. This could leave users unable to claim their rewards and potentially disrupt the reward distribution system.

function claimRewards(address user) external override nonReentrant whenNotPaused returns (uint256) {

if (user == address(0)) revert InvalidAddress();

uint256 pendingReward = _calculatePendingRewards(user);

if (pendingReward == 0) revert InsufficientBalance();

// Reset user rewards before transfer

userRewards[user] = totalDistributed;

// Transfer rewards

raacToken.safeTransfer(user, pendingReward);

emit RewardClaimed(user, pendingReward);

return pendingReward;

}

Example Scenario:

A user calls claimRewards to claim 1000 tokens.
The contract calculates pendingReward = 1000 but only has 500 tokens in its balance.
The safeTransfer call fails, reverting the transaction and preventing the user from claiming their rewards.

Impact

Users may be unable to claim their rewards if the contract lacks sufficient funds.
The reward claim process will be disrupted for all users until the contract is funded with sufficient tokens.

Tools Used

Manual code review

Recommendations

To mitigate this vulnerability, add a check to ensure that the contract has sufficient balance of raacToken before attempting to transfer rewards.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.