Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

`StabilityPool` withdrawals can be sandwiched, `RAACToken` rewards distribution is unfair and exploitable

charlescheerful

Summary

Minting of rewards of RAACToken on StabilityPool is unfair and can be gamed.

Vulnerability Details

The protocol will be deployed on blockchains with public mempools. Like mainnet. Thus MEV is a concern.

StabilityPool::withdraw() can be sandwiched to steal rewards from users. Specially if the attacker is a user with high RToken token holdings.

The attack goes like this:

Same block:

Attacker: StabilityPool::deposit(). Front-runs. Total supply is inflated due to the minting here.
Victinm: StabilityPool::withdraw(). Proportionally now it has less part of the deposits, this happens here. The denominator comes from total supply and now it is bigger. This return value is what is eventually transferred here.
Attacker: StabilityPool::withdraw(). Back-runs. Now the attacker which didn't care at all about holding DEToken withdraws and gets part of the rewards that the victim should have gotten.

This artificially inflates the value of deToken.totalSupply() which is used to calculate the rewards to send to the victim on withdrawals.

As this value is dividing on calculateRaacRewards(), if the attacker has enough funds, it could even make the division round down to 0.

Furthermore, this system is not only vulnerable to MEV but it is also unfair as people who held DEToken for 1 second will get the same rewards as people who held it for 1 year. This generates no incentive to dpeosit your RToken to get DEToken and just do it in 1 block, the one where RAACToken rewards are minted and distributed.

Impact

Stability pool withdrawals can be sandwiched. Note that the attacker does earn profit, as part of the RAAC token amount that the victim does not receive can be claimed by him on his following withdrawal.
The system RAAC rewards distribution in the stability pool is really unfair, deeming the DEToken quite useless.

Recommendations

All these issues share the same root cause: the rewards minted do not care about how long you have been holding the token.

Introduce reward minting per epochs or enforce a minimum deposit time before you can withdraw. Making the system more fair or at least not MEV exploitable.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago

Submission Judgement Published

Validated

Assigned finding tags:

StabilityPool::calculateRaacRewards is vulnerable to just in time deposits

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.