Double-counting of lock amount in veRAACToken's `increase` function
Summary
The increase function in the veRAACToken.sol contains a bug where the lock amount is counted twice when calculating voting power, leading to inflated voting power for users who increase their lock amounts.
Vulnerability Details
Looking at the increase function, we can see that the amount is double-counted during voting power calculation:
_lockState.increaseLock(msg.sender, amount) adds the amount to the user's lock. userLock = _lockState.locks[msg.sender] loads the lock that already includes the new amount and calculateAndUpdatePower is called with userLock.amount + amount, effectively adding the amount twice
Impact
Inflated voting power for users who increase their lock amounts. Also, lead to incorrect governance voting weight calculations thereby providing unfair boost multipliers in the protocol.
Tools Used
Manual code review
Recommendations
Fix the double-counting by removing the second addition of amount:
Lead Judging Commences
veRAACToken::increase doubles the voting power of users
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.