Submission Details
Severity:
Inconsistent Lock Existence Validation in veRAACToken::getLockPosition Function
Description
The veRAACToken::getLockPosition function returns lock data without validating if the lock position exists.
// No existence check
function getLockPosition(address account) external view returns (LockPosition memory) {
@> LockManager.Lock memory userLock = _lockState.getLock(account); // Could be non-existent
return LockPosition({
amount: userLock.amount, // Returns 0 for non-existent lock
end: userLock.end, // Returns 0 for non-existent lock
power: balanceOf(account) // Returns 0 for non-existent lock
});
}
Risk
Likelihood: Low
Affects only view function
No direct state changes
Impact: Low
Could lead to UI confusion
External integrations might misinterpret data
No financial impact
Recommended Mitigation
+ error LockNotFound();
function getLockPosition(address account) external view returns (LockPosition memory) {
LockManager.Lock memory userLock = _lockState.getLock(account);
+ if (!userLock.exists) revert LockNotFound();
return LockPosition({
amount: userLock.amount,
end: userLock.end,
power: balanceOf(account)
});
}
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.