The `StabilityPool.calculateRaacRewards()` Function Is Incorrect
Summary
The StabilityPool.calculateRaacRewards() function calculates the user reward amount based on the current ratio between the user's deposit amount and the total deposit amount. This mechanism is flawed. If a user withdraws 1 wei multiple times, they will receive nearly the same reward for each withdrawal, allowing them to drain almost all the rewards.
Vulnerability Details
The StabilityPool.calculateRaacRewards() function calculates the user reward amount based on the current ratio between the user's deposit amount and the total deposit amount.
A malicious user can drain almost all the rewards. For example:
totalRewards: 100totalDeposits: 1000userDeposit: 500
The malicious user withdraws 1:
They receive a reward amount of (100 * 500 / 1000) = 50
totalRewards: 50totalDeposits: 999userDeposit: 499
The malicious user withdraws 1 again:
They receive a reward amount of (50 * 499 / 999) = 24.97
totalRewards: 25.03totalDeposits: 998userDeposit: 498
As demonstrated, in each step, the malicious user can receive nearly half of the total rewards. By iterating this withdrawal process, they can drain almost all the rewards.
Impact
A malicious user can drain almost all the rewards.
Tools Used
Manual review
Recommendations
Implement an individual reward index.
Lead Judging Commences
StabilityPool::withdraw can be called with partial amounts, but it always send the full rewards
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.