Incorrect total supply check in `lock` in the `veRAACToken` contract
Summary
The veRAACToken contract miscalculates the total supply check by incorrectly comparing the total veRAACToken supply with the amount of RAACTokens locked, instead of the actual voting power (veRAACTokens) minted based on duration.
Vulnerability Details
In the lock function, the issue arises because the totalSuppply is the supply of veRAACTokens and amount represents the RAACTokens being locked. The actual veRAACTokens minted (newPower) is calculated based on both amount and duration:
The amount of RAACTokens a user locks is always going to be bigger than the amount of veRAACTokens they receive, unless the user locks their RAACTokens for 1460 days, which is the MAX_LOCK_DURATION.
Impact
This flaw results in an inaccurate enforcement of the total supply cap, potentially preventing valid token locks or allowing supply inconsistencies, which could disrupt the protocol’s economic model.
Recommendations
Ensure the total supply check is performed after calculating newPower, so that the comparison is made against the actual voting power being minted rather than the raw lock amount.
Lead Judging Commences
Incorrect `MAX_TOTAL_SUPPLY` check in the `veRAACToken::lock/extend` function of `veRAACToken` could harm locking functionality
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.