`MAX_TOTAL_LOCKED_AMOUNT` can be exceeded in `lock()`
Summary
In the lock() function, there is a check to ensure that the amount being locked by an individual user does not exceed MAX_LOCK_AMOUNT, but there is no check to ensure that the total amount locked by all users does not exceed MAX_TOTAL_LOCKED_AMOUNT.
Vulnerability Details
The protocol defines MAX_LOCK_AMOUNT and MAX_TOTAL_LOCKED_AMOUNT which are the Maximum amount of tokens that can be locked in a single position and Maximum total amount of tokens that can be locked globally respectively.
Now, lock() function only ensures that the amount is not greater than MAX_LOCK_AMOUNT:
However, it does not check if the total amount locked by all users plus the amount the user is bringing in exceeds MAX_TOTAL_LOCKED_AMOUNT.
Impact
This oversight means that if multiple users lock tokens, the total locked amount could exceed the defined limit of MAX_TOTAL_LOCKED_AMOUNT. This could disrupt the intended functionality of the token locking mechanism.
Tools Used
Manual Review
Recommendations
Add a check to ensure that the total amount locked by all users does not exceed MAX_TOTAL_LOCKED_AMOUNT:
Lead Judging Commences
`veRAACToken::lock` function doesn't check MAX_TOTAL_LOCKED_AMOUNT
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.