Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Through `veRAACToken.sol::increase()` function user can mint excess veRAACs by transferring very few raacs.

orangesantra

Summary

increase() function is used to increase locked raac amount. -

function increase(uint256 amount) external nonReentrant whenNotPaused {

// Increase lock using LockManager

_lockState.increaseLock(msg.sender, amount);

_updateBoostState(msg.sender, locks[msg.sender].amount);

// Update voting power

LockManager.Lock memory userLock = _lockState.locks[msg.sender];

(int128 newBias, int128 newSlope) = _votingState.calculateAndUpdatePower(

msg.sender,

userLock.amount + amount,

userLock.end

);

// Update checkpoints

uint256 newPower = uint256(uint128(newBias));

_checkpointState.writeCheckpoint(msg.sender, newPower);

// Transfer additional tokens and mint veTokens

@-> raacToken.safeTransferFrom(msg.sender, address(this), amount);

@-> _mint(msg.sender, newPower - balanceOf(msg.sender));

emit LockIncreased(msg.sender, amount);

}

The veRAAC amount being minted back to msg.sender is newPower - balanceOf(msg.sender).
This logic is incorrect.

Vulnerability Details

Suppose user has 2 addresses addrA and addrB.
user transfer majority of it's raac balance from addrA to addrB.
addrA holding very less balance.
addrA is being used to trigger increase function, putting max amount availabe with addrA in param.
The newPower will be incremented value of oldPower, decided by function calculateAndUpdatePowe().

Problem starts

since balanceOf(msg.sender) is small; means newPower - balanceOf(msg.sender) will be large.
Conclusion - with very less transfer of RAAC tokens to contract; user is receiving large amount of veRAAC.
This flaw can lead to problem, with less investment user can have larger veRAAC tokens (higher voting power).

Impact

User can get higher voting power with very less investment.

Tools Used

Manual

Recommendations

Change the current architecture of increase() function.

Updates

Lead Judging Commences

inallhonesty Lead Judge

6 months ago

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.