Core Contracts

Summary

The createMarket function in MarketCreator.sol allows the quoteAsset to be set as raacToken, which is also the rewards token. If the contract lacks sufficient raacToken balance, user funds deposited as quoteAsset may be redistributed as rewards to other users, leading to potential loss or misallocation of funds.

Vulnerability Details

In MarketCreator.sol, markets are created with a specified quoteAsset, and users participate by depositing this asset. The contract then distributes rewards in raacToken upon redemption. However, if a market is created with quoteAsset set as raacToken, the deposited tokens are also used as the reward source. Since rewards are calculated dynamically based on total deposits, this can result in user deposits being unintentionally redistributed as rewards to others instead of being properly returned to them.

Relevant code snippet:

This issue arises due to the following:

• When quoteAsset == raacToken, deposited tokens contribute to both user participation and the reward pool.

• If the contract does not have additional raacToken allocated for rewards, the calculateReward function will distribute user deposits as rewards.

Impact

Loss of User Funds: Users may not receive their full deposits back if the contract does not have enough raacToken reserves.

Tools Used

Manual code review

Recommended Mitigation

To prevent this issue, consider one of the following mitigations:

• Restrict raacToken as a Quote Asset: Modify createMarket to revert if _quoteAsset == address(raacToken).

• Ensure Sufficient Reward Balance: Before distributing rewards, check that the contract’s raacToken balance is at least equal to the total deposited raacToken in markets where quoteAsset == raacToken.