Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Users can mint more Vote Power than their deposit

bigsam

Summary

In the veRAACToken.sol users are allowed to increase their stake and their voting power will also increase but these will end up adding more vote power to the user than they should have.

Vulnerability Details

When a user increases his locked token,

/**

* @notice Increases the amount of locked RAAC tokens

* @dev Adds more tokens to an existing lock without changing the unlock time

* @param amount The additional amount of RAAC tokens to lock

function increase(uint256 amount) external nonReentrant whenNotPaused { // bug note total supply can be bypassed // note by pass max lock globally

// Increase lock using LockManager

@audit>> 1. _lockState.increaseLock(msg.sender, amount); // amount incremented and saved so // create max lock per psoition no one is checking global

_updateBoostState(msg.sender, locks[msg.sender].amount);

// Update voting power

@audit>>2. LockManager.Lock memory userLock = _lockState.locks[msg.sender];

(int128 newBias, int128 newSlope) = _votingState.calculateAndUpdatePower(

msg.sender,

@audit>> userLock.amount + amount, // bug amount already incremented

userLock.end

);

// Update checkpoints

uint256 newPower = uint256(uint128(newBias));

@audit>> _checkpointState.writeCheckpoint(msg.sender, newPower);

// Transfer additional tokens and mint veTokens

raacToken.safeTransferFrom(msg.sender, address(this), amount);

@audit>> _mint(msg.sender, newPower - balanceOf(msg.sender)); // minting more power than user actually has....... bug

emit LockIncreased(msg.sender, amount);

}

Increase lock will update the user's locked amount

/**

* @notice Increases the amount in an existing lock

* @dev Adds tokens to existing lock without changing duration

* @param state The lock state storage

* @param user Address increasing their lock

* @param additionalAmount Additional amount to lock

function increaseLock(

LockState storage state,

address user,

uint256 additionalAmount

) internal {

Lock storage lock = state.locks[user];

if (!lock.exists) revert LockNotFound();

if (lock.end <= block.timestamp) revert LockExpired();

// Maximum lock amount

if (lock.amount + additionalAmount > state.maxLockAmount) revert AmountExceedsLimit();

// Maximum total locked amount

// if (state.totalLocked + additionalAmount > state.maxTotalLocked) revert AmountExceedsLimit();

@audit>> lock.amount += additionalAmount; // seee bug updated the lock amount

state.totalLocked += additionalAmount;

emit LockIncreased(user, additionalAmount);

}

When call to get the userlock the locked details will return a already updated locked amount yet we add amount to locked amount giving the users more vote power than they should have.

// Update voting power

@audit>>2. LockManager.Lock memory userLock = _lockState.locks[msg.sender];

(int128 newBias, int128 newSlope) = _votingState.calculateAndUpdatePower(

msg.sender,

@audit>> userLock.amount + amount, // bug amount already incremented

userLock.end

);

E.g

User locks 10 and gets 5 vote power...... 10 * 2years/ 4 years = 5
calls to lock 10 more and get 5 more power to 10 ......... 20 * 2 years/ 4 years = 10
instead they will get 30*2 year/4years = 15 Power
5 more power
if the use deposited 20 directly they will get 10 Power but by breaking the deposit an attacker can again more power to influence the governance of the protocol.

Impact

Users are given more power than the actual amount they deposited. This will affect the governance has users with higher votes can push proposal.

Tools Used

Manual Review

Recommendations

Just user the users locked amount and not add amount

// Update voting power

LockManager.Lock memory userLock = _lockState.locks[msg.sender];

(int128 newBias, int128 newSlope) = _votingState.calculateAndUpdatePower(

msg.sender,

-- userLock.amount + amount, // bug amount already incremented

++ userLock.amount,

userLock.end

);

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

veRAACToken::increase doubles the voting power of users

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.