Submission Details
Severity:
Missing check for existing lock during creation can result in users funds loss
Summary
Once a lock is created, users should only be able to modify or cancel it, however due to a missing check it is possible for a user to unintenionally delete its existing lock by creating a new one. Therefore the previously locked funds will be lost.
Vulnerability Details
Impact
Add the following to the veToken test:
it("locks can be overwritten", async () => {
const initialAmount = ethers.parseEther("1000");
const newAmount = ethers.parseEther("500");
const duration = 365 * 24 * 3600; // 1 year
// Create initial lock
await veRAACToken.connect(users[0]).lock(initialAmount, duration);
// Create new lock with different amount
await veRAACToken.connect(users[0]).lock(newAmount, duration);
// Verify new lock position
const position = await veRAACToken.getLockPosition(users[0].address);
expect(position.amount).to.equal(newAmount);
});
Tools Used
Manual review.
Recommendations
Revert if lock already exists during new creation:
if (state.locks[user].amount > 0) revert LockExists();
Updates
Lead Judging Commences
inallhonesty about 2 months ago
Submission Judgement Published Assigned finding tags:
veRAACToken::lock called multiple times, by the same user, leads to loss of funds
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.