Incorrect total supply check in veRAAC token
Summary
The total supply cap check is incorrect in veRAACToken::lock().
Vulnerability Details
In veRAACToken, we have one limitation as below. The owner wants to set one cap for the total veRAAC token based on the comments. We should notice that MAX_TOTAL_SUPPLY and MAX_TOTAL_LOCKED_AMOUNT are different. MAX_TOTAL_SUPPLY is one cap for the total veRAAC token. And MAX_TOTAL_LOCKED_AMOUNT is the total locked RAAC token amout.
The problem is that we use amount(locked RAAC token amount) to check the MAX_TOTAL_SUPPLY limitation incorrectly. We should use newPower(newly minted veRAAC token amount) to check MAX_TOTAL_SUPPLY.
Impact
Incorrect max supply check. This may cause that normal lock transaction will be reverted.
For example: Alice locks 10000 RAAC for 1 years. Then the minted veRAAC amount should be 2500 RAAC. If the totalSupply() + amount > MAX_TOTAL_SUPPLY, this may cause that normal lock will be blocked incorrectly.
Tools Used
Manual
Recommendations
Use newPower to check the MAX_TOTAL_SUPPLY limitation.
Lead Judging Commences
Incorrect `MAX_TOTAL_SUPPLY` check in the `veRAACToken::lock/extend` function of `veRAACToken` could harm locking functionality
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.