Incorrect MAX_TOTAL_SUPPLY validation in lock()
Summary
The current implementation checks the maximum total supply against the sum of the totalSupply() and the amount of RAAC tokens being locked, which is not the correct approach.
Vulnerability Details
totalSupply() represents the total veRAAC tokens in supply i.e already minted to users.
In lock() however, the MAX_TOTAL_SUPPLY check is done as follows:
amount here is the number of raacTokens being supplied by the user for locking where as, newPower is the number of veRAAC tokens minted in return:
As such, when minting is done, the totalSupply() will be incremented by this newPower.
Therefore, it is imperative to perform the MAX_TOTAL_SUPPLY check right before this minting is done but as seen, the function does this inaccurately.
Impact
By checking against totalSupply() + amount, the contract could allow minting of veRAAC tokens that would push the total supply over the defined MAX_TOTAL_SUPPLY, leading to a violation of the contract's constraints.
Tools Used
Manual Review
Recommendations
Perform the MAX_TOTAL_SUPPLY check right before minting veRAAC tokens:
Lead Judging Commences
Incorrect `MAX_TOTAL_SUPPLY` check in the `veRAACToken::lock/extend` function of `veRAACToken` could harm locking functionality
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.