Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

User Can Deposit and Immediately Withdraw to Get RAAC Rewards Enabling Rewards Harvesting via Flash Loan

4rk4rk

Summary

It is observed that a vulnerability in the StabilityPool contract allows users to perform a flash loan attack by depositing and immediately withdrawing funds to unfairly harvest RAAC rewards. This can be exploited through multiple rapid deposit/withdraw cycles to drain RAAC rewards from the pool.

Vulnerability Details

The vulnerability exists in the withdraw() function of the StabilityPool contract that allows users to immediately withdraw their deposits while still receiving RAAC rewards. The key issues:

In withdraw(), RAAC rewards are calculated and distributed based on the current deposit state:

contracts/core/pools/StabilityPool/StabilityPool.sol#L229

uint256 raacRewards = calculateRaacRewards(msg.sender);
...
if (raacRewards > 0) {
raacToken.safeTransfer(msg.sender, raacRewards);
}
The calculateRaacRewards() function bases rewards on the user's current deposit ratio:

contracts/core/pools/StabilityPool/StabilityPool.sol#L251C1-L259C6

function calculateRaacRewards(address user) public view returns (uint256) {
uint256 userDeposit = userDeposits[user];
uint256 totalDeposits = deToken.totalSupply();

uint256 totalRewards = raacToken.balanceOf(address(this));
if (totalDeposits < 1e6) return 0;

return (totalRewards * userDeposit) / totalDeposits;
}
There is no minimum deposit time requirement or rewards vesting period, allowing immediate withdrawals.

An attacker could:

Take a flash loan of crvUSD, deposit into lending pool and mint rTokens
Call deposit() with large amount
Call withdraw() immediately
Receive RAAC rewards proportional to the large deposit
Repay flash loan
Repeat the cycle

Impact

The impact is high as this issue:

Allows complete drain of RAAC rewards tokens
Easy to exploit to achieve the maximum impact via flash loans

Tools Used

Manual code review

Recommendations

To incentivize user to stake their asset into the StabilityPool in exchange for RAACToken rewards and ensure fair rewards distribution:

The rewards amount for users should also be proportional to their staking duration. Consider adding reward vesting or linear distribution.
Implement a minimum deposit time requirement before rewards can be claimed.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

StabilityPool::calculateRaacRewards is vulnerable to just in time deposits

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.