Voting power miscalculation due to double-counting in 'increase' function
Summary
Double counting of newly added RAAC tokens in increase function of veRAACToken contract
allows an attacker (or even honest users) to maliciously (or inadvertently ) receive more voting power
than intended by the protocol.
Vulnerability Details
The veRAACToken contract has an increase function which allows users to increase their voting power
by locking up RAAC tokens and minting veRAACToken.
The newly added lock amount is initially increased by calling increaseLock which updates the locked amount.
_lockState.increaseLock(msg.sender, amount);
Reading the userLock.amount afterward already reflects the updated amount.
The issue arises because in the subsequent call
to calculate the updated voting power,
amount is added a second time (i.e. userLock.amount + amount)
resulting in double‐counting of the added tokens.
This causes the calculated voting power (newBias)
to be higher than intended and results in an excessive minting of veRAAC tokens.
Impact
Users end up with more voting power than warranted when increasing locked amount,
due to double counting of newly locked RAAC tokens.
This allows users to inflate their voting power disproportionately by repeatedly calling increase.
Impact : High
(Higher Voting power distribution to users who lock thru 'increase' function)
Likelihood : High
Recommendation
Modify the argument as below
to avoid double counting while calculating updated voting power
Lead Judging Commences
veRAACToken::increase doubles the voting power of users
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.