Ramses Exchange on Arbitrum hacked about $90k due to wrong reward calculation.

Reward amount is calculated from “tokenTotalSupplyByPeriod” value and this value isn’t decreased after sending reward. “veWithdrawnTokenAmountByPeriod” value is increased, but if use new “tokenId”, the increased value is ignored. This means anyone can get reward several times using different token Ids.

As you can see, before getting reward, hacker deposited as much tokens as reward pool has.

After that, hacker called “getPeriodReward” function twice for each pool using different token Ids, could drain all reward pools. “veWithdrawnTokenAmountByPeriod” shoudn’t consider “tokenId”.
Leave a Reply