maxTotalLocked limitation does not work
Summary
maxTotalLocked limitation does not work
Vulnerability Details
In veRAAC token, there is one variable maxTotalLocked. This variable aims to limit the maximum total locked RAAC token. But when we create one lock or increase one lock, we don't check this limitation. This will cause that this limitation may be bypassed and the actual total locked amount may exceed the maxTotalLocked. This is unexpected.
We should notice that there is another limitation MAX_TOTAL_SUPPLY. This limitation is for the veRAAC Token maximum amount. However, this limitation cannot guarantee that we can not exceed the maxTotalLocked.
Below is some analysis based on the default value:MAX_TOTAL_SUPPLY = 100M, MAX_TOTAL_LOCKED_AMOUNT = 1B.
Lock 400M RAAC token for 1 year. Then we will mint 100M veRAAC, and current locked amount is 400M.
2.When the time reaches the expiry date, we extend 36.5 days, then the new bias will be 10M. We will burn 90M veRAAC token, at the same time, our locked amount will remain the same.In this way, we can try to lock more in the veRAAC token. The total locked amount can be increasing again to exceed the max total locked amount.
Impact
maxTotalLocked is one limitation for the total locked amount in veRAAC token. But it does not work.
Tools Used
Manual
Recommendations
Check the total Locked amount when we create or increase one lock.
Lead Judging Commences
`veRAACToken::lock` function doesn't check MAX_TOTAL_LOCKED_AMOUNT
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.