Incorrect Reward Distribution in StabilityPool
Summary
The StabilityPool contract allows users to deposit rToken and receive deToken, while also earning RAAC rewards. However, the reward distribution mechanism does not account for the duration of a user’s stake, leading to unfair allocation where new depositors receive the same rewards as long-term participants.
Vulnerability Details
https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/pools/StabilityPool/StabilityPool.sol#L174
In the deposit function, when a user deposits rToken, they receive deToken based on the exchange rate at the time of deposit. The function also triggers _mintRAACRewards, which calls raacMinter.tick(). However, there is no mechanism ensuring that rewards are distributed based on staking duration. Instead, all users receive rewards based solely on their deposit amounts.
The function _mintRAACRewards mints RAAC tokens based on block emissions but does not differentiate between users who have been staking for a long time and new entrants. The function calculateRaacRewards determines user rewards proportionally based on deposit amount rather than time staked
Impact
Long-term stakers do not receive additional incentives for keeping their deposits in the pool.
Tools Used
Manual code review
Recommendations
Implement a time-weighted reward mechanism to fairly distribute RAAC rewards based on staking duration.
Modify calculateRaacRewards to factor in time staked, such as using a multiplier based on staking duration.
Lead Judging Commences
StabilityPool::calculateRaacRewards is vulnerable to just in time deposits
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.