Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

User voting power is updated incorrectly when increasing a lock

OpaBatyo

Summary

When users increase their lock, the function calculates and updates their power based on an incorrect value.

Vulnerability Details

When users increase their lock by transferring additional RAAC tokens, the function calculates and updates their power based on a wrong value:

function increase(uint256 amount) external nonReentrant whenNotPaused {
// Increase lock using LockManager
_lockState.increaseLock(msg.sender, amount);
_updateBoostState(msg.sender, locks[msg.sender].amount);
// Update voting power
LockManager.Lock memory userLock = _lockState.locks[msg.sender];
(int128 newBias, int128 newSlope) = _votingState.calculateAndUpdatePower(
msg.sender,
@> userLock.amount + amount,
userLock.end
);
...
}

The function first increases the _lockState lock amount of the user with amount, and afterwards calls _votingState.calculateAndUpdatePower() with userLock.amount + amount which is incorrect. Since the lock was already increased by amount, this will double count it.

  • originalAmount = 100

  • newAmount = 50

  • increaseLock(50) -> locked amount now 150

  • userLock.amount == 150

  • calculateAndUpdatePower(150 + 50) -> user's power updated with 2x amount

Impact

Users power gets updated with 2x the amount they increase their lock with.

Tools Used

Manual Review

Recommendations

(int128 newBias, int128 newSlope) = _votingState.calculateAndUpdatePower(
msg.sender,
- userLock.amount + amount,
+ userLock.amount,
userLock.end
);
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

veRAACToken::increase doubles the voting power of users

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!