Double-Counting in Vote Power Calculation During Lock Increase
Summary
A critical vulnerability exists in the veRAACToken contract where increasing a lock position results in double-counting of the additional tokens when calculating voting power. This flaw allows users to receive more voting power than they should based on their actual locked tokens.
Vulnerability Details
The issue occurs in the increase() function of veRAACToken. When a user adds more tokens to their existing lock, the following sequence creates the double-counting:
First, the lock amount is increased in LockManager:
This is called from veRAACToken:
However, when calculating the new voting power, the code adds the amount again:
The issue arises because userLock.amount already includes the additional tokens after increaseLock() is called, but the code then adds the amount again in the power calculation.
PoC
User has 100 RAAC tokens locked
User calls increase(50) to add 50 more tokens
Lock amount becomes 150 (100 + 50)
Voting power calculation uses 200 (150 + 50) instead of 150
User receives voting power for 200 tokens while only having locked 150
Impact
Users can obtain inflated voting power by repeatedly increasing their lock positions
Governance voting weight becomes imbalanced, giving certain users more influence than their actual stake
Protocol's voting mechanism integrity is compromised, potentially affecting critical governance decisions
Tools Used
Manual Review
Recommendations
Modify the voting power calculation in the increase() function to use only the updated lock amount:
Lead Judging Commences
veRAACToken::increase doubles the voting power of users
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.