Core Contracts

Summary

the veToken system is designed to align long-term incentives by requiring users to lock RAAC tokens to participate in governance. Just like putting real estate in escrow you maintain ownership but commit to holding for a set period. The lock mechanism is crucial for protocol stability and preventing governance attacks. Having veRAAC tokens requires having locked RAAC, this mirrors how in real estate, you can't have equity rights without actually owning the property.

A user can end up with a positive veRAAC balance but no corresponding locked position. This means they could participate in governance without the required skin-in-the-game, similar to voting on property decisions without actually being invested.

If we look at the dual gauge system (RAACGauge.sol and RWAGauge.sol), this vulnerability becomes even more concerning. These gauges direct protocol incentives based on veRAAC voting power. An account with unvested voting power could manipulate gauge weights, affecting both the DeFi and real estate sides of the protocol.

Vulnerability Details

veRAACToken._update

Users can accumulate voting power without maintaining the required token locks. In the context of RAAC's dual-gauge system, this creates a dangerous misalignment of incentives. The GaugeController distributes both weekly RAAC emissions and monthly real estate yields based on these voting weights.

When you Look at the gauge system implementation, we can see how this cascades. The RAACGauge handles protocol token emissions while the RWAGauge directs real estate yields. Both rely on accurate vote-weight accounting from veRAACToken. When lock consistency breaks, it distorts the entire reward distribution mechanism.

The TimeWeightedAverage library, which calculates voting power decay, operates on potentially invalid state. This allows manipulation of both DeFi incentives and real estate yield allocation the two pillars of RAAC's economic model.

1. Operation Types:

   • Minting: from = address(0) → Creates new veRAAC tokens

   • Burning: to = address(0) → Destroys existing veRAAC tokens

   • Regular: Both addresses non-zero → Always reverts

2. The Flow:

Impact

The code expect that any user with a positive veRAACToken balance must have tokens locked in the system, the relationship between balanceOf() and getLockedBalance() is fundamental to the vote-escrow mechanism.

Looking at veRAACToken.sol, we can see how this could be violated:

1. The lock() function mints veRAACTokens based on amount and duration

2. The withdraw() function should only allow withdrawals after lock expiry

3. The balance tracking and lock state can become desynchronized

Stems from the relationship between:

• Token balances (tracked via ERC20 mechanics)

• Lock positions (tracked in the LockManager library)

• Voting power calculations (handled by VotingPowerLib)

Tools Used

manual

Recommendations

Strengthen the connection between token balances and lock positions in veRAACToken. Every balance-changing operation must verify lock consistency, similar to how real estate transactions require title verification.