Total amount of raacTokens locked is not updated during withdrawal
Summary
The lock() and increase() functions in the veRAACToken contract correctly increment the _lockState.totalLocked variable when tokens are locked. However, the withdraw() and emergencyWithdraw() functions do not decrement this variable when tokens are withdrawn, leading to an inconsistent state in the contract.
Vulnerability Details
In the lock() and increase() functions, the total amount of tokens locked is tracked by incrementing the _lockState.totalLocked variable. This ensures that the contract maintains an accurate record of the total tokens locked at any given time.
Conversely, in the withdraw() and emergencyWithdraw() functions, while tokens are being removed from the user's lock, the _lockState.totalLocked variable is not decremented.
This oversight means that the total locked amount does not reflect the actual state of the contract, leading to potential issues in future locking operations or checks against the maximum total locked amount.
Impact
MAX_TOTAL_LOCKED_AMOUNT defines how many tokens can be locked globally. Since the total locked amount is not updated correctly, this limit may be reached preventing further locks when in reality the actual amount of tokens locked is way below it.
Tools Used
Manual Review
Recommendations
Decrement the _lockState.totalLocked variable by the amount being withdrawn.
Lead Judging Commences
veRAACToken::withdraw / emergencyWithdraw doesn't substract the `_lockState.totalLocked`
veRAACToken::withdraw / emergencyWithdraw doesn't substract the `_lockState.totalLocked`
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.