Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Missing Total Supply Check in Increase Lock Function

0xslowbug

Here's your updated report with the MAX_TOTAL_LOCKED_AMOUNT issue included:

Summary

The smart contract contains two key functions: lock and increase. The lock function ensures that tokens to be locked do not exceed the maximum allowed limit (MAX_LOCK_AMOUNT), the total supply (MAX_TOTAL_SUPPLY), or the global cap on locked tokens (MAX_TOTAL_LOCKED_AMOUNT). However, the increase function, which allows users to add more tokens to an existing lock, does not include checks to enforce either the MAX_TOTAL_SUPPLY or the MAX_TOTAL_LOCKED_AMOUNT.

Affected Code: veRAACToken::increase

Vulnerability Details

The lock function correctly ensures that:

The amount being locked does not exceed the MAX_LOCK_AMOUNT.
The total supply does not exceed the MAX_TOTAL_SUPPLY.
The total locked amount does not exceed MAX_TOTAL_LOCKED_AMOUNT.

However, the increase function lacks these constraints, meaning that:

The total supply can exceed MAX_TOTAL_SUPPLY when users increase their lock.
The total amount of locked tokens can exceed MAX_TOTAL_LOCKED_AMOUNT, violating the system’s intended limit on global token locks.

The vulnerability is in the increase function, where:

There is no check to verify that the additional amount being locked will not cause the total supply to exceed MAX_TOTAL_SUPPLY. If the user hasn't yet reached the MAX_LOCK_AMOUNT. This opens up the possibility for malicious actors or accidental errors to push the total supply beyond the allowed limit.
There is no check to enforce MAX_TOTAL_LOCKED_AMOUNT, which is initialized but never validated.

Impact

The absence of these checks introduces multiple risks, including:

Supply Inflation: The total supply may exceed MAX_TOTAL_SUPPLY, leading to unintended token supply inflation and dilution.

Locked Amount Overflow: More tokens may be locked than the intended MAX_TOTAL_LOCKED_AMOUNT, violating the contract’s economic constraints.

Economic and Trust Risks: The system may fail to enforce supply caps, undermining tokenomics and investor confidence.

Tools Used

Manual code review

Recommendations

Before increasing the lock, ensure that:

The new total supply (including the additional tokens to be locked) does not exceed MAX_TOTAL_SUPPLY:

Since the MAX_TOTAL_SUPPLY is less than MAX_TOTAL_LOCKED_AMOUNT, this effectively checks for both.

if (totalSupply() + amount > MAX_TOTAL_SUPPLY) revert TotalSupplyLimitExceeded();

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

veRAACToken::increase doesn't check the token supply, making it possible to mint over the MAX

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!