Core Contracts

Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Submission Details
Severity: high
Invalid

Double claiming of rewards in `FeeCollector` contract

Summary

The claimRewards() function in FeeCollector contract allows users to claim their rewards multiple times within the same distribution period because there's no check to prevent claiming before the next distribution occurs.

Vulnerability Details

The issue exists in the claimRewards() function which calculates rewards based on totalDistributed but doesn't track or verify if a user has already claimed rewards for the current distribution period:

function claimRewards(address user) external override nonReentrant whenNotPaused returns (uint256) {
if (user == address(0)) revert InvalidAddress();
uint256 pendingReward = _calculatePendingRewards(user);
if (pendingReward == 0) revert InsufficientBalance();
// Reset user rewards before transfer
userRewards[user] = totalDistributed;
// Transfer rewards
raacToken.safeTransfer(user, pendingReward);
emit RewardClaimed(user, pendingReward);
return pendingReward;
}

The issue is that totalDistributed only updates in _processDistributions() which is called by distributeCollectedFees(). Between distributions, a user can call claimRewards() multiple times because:

  • _calculatePendingRewards() will return the same amount each time since totalDistributed hasn't changed

  • Although userRewards[user] is updated to totalDistributed, without a new distribution this doesn't prevent further claims

  • There's no tracking of when users last claimed or which distribution period they claimed from

Impact

allows malicious users to drain the contract's balance by claiming the same rewards multiple times before the next distribution occurs.

Tools Used

Manual Review

Recommendations

Add distribution period tracking and prevent multiple claims within the same period.

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.