Un-updated boostState during withdrawals leaves contract is a stale state
Summary
The withdraw() and emergencyWithdraw() functions in the veRAACToken contract do not call the _updateBoostState() function after veRAAC tokens are burned. This oversight results in a stale boost state, which reflects inaccurate total supply of veRAAC tokens.
Vulnerability Details
The _updateBoostState() function is responsible for updating critical state variables, including totalVotingPower, whenever tokens are locked or increased. This ensures that the contract accurately reflects the current total supply of veRAAC tokens in circulation.
However, during the withdraw() and emergencyWithdraw() functions, while veRAAC tokens are burned (which decreases the total supply), _updateBoostState() is not called.
As a result, the boost state remains unchanged, and in an inconsistent state that do not accurately reflect the real status of the contract.
Impact
The totalVotingPower may not accurately reflect the current supply of veRAAC tokens, which can be misleading.
Tools Used
Manual Review
Recommendations
Call _updateBoostState() after burning veRAAC tokens to ensure that the boost state reflects the current total supply.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.