Reward Calculation Vulnerability due to Dynamic Voting Power
Summary
The _calculatePendingRewards function pending rewards based solely on the user’s current voting power, ignoring historical fluctuations and changes over time.
Vulnerability Details
In the _calculatePendingRewards function, the reward share is determined by the formula https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/collectors/FeeCollector.sol#L486
The voting power is the current balance of the user in veRaacTokens and can be gotten by locking for a small duration, allowing user to claim rewards based on current veRaacToken balance and then withdraw seconds later.
This relies on the current voting power, malicious users can potentially manipulate their voting power temporarily (for example, by staking ) to claim a larger share of the rewards, thereby causing loss of rewards to other participants.
Impact
Legitimate users might be deprived of rewards they are entitled to based on long term participation.
Tools Used
Manual Review
Recommendations
Ensure that the reward distribution reflects each user’s participation over a period, not just the current state.
Lead Judging Commences
Time-Weighted Average Logic is Not Applied to Reward Distribution in `FeeCollector`
Time-Weighted Average Logic is Not Applied to Reward Distribution in `FeeCollector`
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.