Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

maxTotalLocked is not checked when user locks RAAC tokens in veRAACToken

h2134

Summary

maxTotalLocked is not checked when user locks RAAC tokens in veRAACToken.

Vulnerability Details

When a user calls lock() to create a new lock position for RAAC tokens, protocol checks if the locked amount is more than MAX_LOCK_AMOUNT or the total supply after the lock would mint more veRAAC tokens than MAX_TOTAL_SUPPLY.

veRAACToken::lock()

if (amount == 0) revert InvalidAmount();
if (amount > MAX_LOCK_AMOUNT) revert AmountExceedsLimit();
if (totalSupply() + amount > MAX_TOTAL_SUPPLY) revert TotalSupplyLimitExceeded();
if (duration < MIN_LOCK_DURATION || duration > MAX_LOCK_DURATION)
revert InvalidLockDuration();

However, it does not check if the total locked RAAC token amount is larger than _lockState.maxTotalLocked.

The same issue exists in increase() when user increase locked amount.

Impact

The locked RAAC token amount can be more than maxTotalLocked.

Tools Used

Manaul Review

Recommendations

Check if the total locked RAAC token amount is larger than _lockState.maxTotalLocked.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

`veRAACToken::lock` function doesn't check MAX_TOTAL_LOCKED_AMOUNT

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!