The calculation for reward distribution is incorrect.
Summary
The reward amount of a user is calculated with his own voting power which can change. In addition, users can claim their pending rewards any time. This calculation is completely incorrect, which could result in severe imbalance.
Vulnerability Details
The amount of rewards that should be given to a user is proportional to his own voting power. However, the amount of total rewards and the voting power of every users can change.
https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/collectors/FeeCollector.sol#L479-L488
This calculation is completely incorrect, which could result in severe imbalance.
Consider the following scenario:
Alice's voting power is 100.
Bob's voting power is 50.
The total amount of rewards is 1500.
Alice claims her pending rewards.
The amount of pending rewards is 1500 * 100 / (100 + 50) = 1000.
The remaining amount of rewards is 1500 - 100 =500Bob's voting power changes from 50 to 2000.
Bob claims his pending rewards.
The amount of pending rewards is 1500 * 200 / (100 + 200) = 1000.
But there are only 500 tokens left.
As a result, Bob cannot claim his rewards.
Impact
Incorrect rewards calculation.
Recommendations
Reward calculation mechanism should be improved.
Lead Judging Commences
Time-Weighted Average Logic is Not Applied to Reward Distribution in `FeeCollector`
Time-Weighted Average Logic is Not Applied to Reward Distribution in `FeeCollector`
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.