Submission Details
Severity:
Attacker can bypass max total supply of VeraacToken by increase locked amount instead of creating new lock
Vulnerability Details
In veRAACTokencontract, it have MAX_TOTAL_SUPPLY, in lock()function, it have a checking condition to make sure that it will not exceed max total supply:
function lock(uint256 amount, uint256 duration) external nonReentrant whenNotPaused {
if (amount == 0) revert InvalidAmount();
if (amount > MAX_LOCK_AMOUNT) revert AmountExceedsLimit();
@> if (totalSupply() + amount > MAX_TOTAL_SUPPLY) revert TotalSupplyLimitExceeded();
if (duration < MIN_LOCK_DURATION || duration > MAX_LOCK_DURATION)
revert InvalidLockDuration();
. . . . . .
}
But in increase() function, this checking condition do not exist. So when total supply reached, it can be bypassed by using that function to mint more tokens than it should.
Impact
Bypass max total supply of veRaac token.
Recommendations
Add this checking condition to increase()function:
function increase(uint256 amount) external nonReentrant whenNotPaused {
+ if (totalSupply() + amount > MAX_TOTAL_SUPPLY) revert TotalSupplyLimitExceeded();
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
veRAACToken::increase doesn't check the token supply, making it possible to mint over the MAX
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.