Bypassing MAX_TOTAL_SUPPLY Limit via LockManager.sol:::increaseLock() Leads to Potential Denial of Service (DoS)
Summary
The increaseLock() function allows users to increase their locked RAAC tokens. However, unlike the lock() function, increaseLock() does not enforce the MAX_TOTAL_SUPPLY limit. This inconsistency enables a malicious user to exceed the maximum supply, preventing other users from locking their RAAC tokens. This leads to Denial of Service (DoS) for legitimate users.
Vulnerability Details
The lock() function correctly checks the total supply of locked RAAC and reverts if it exceeds the maximum:
https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/tokens/veRAACToken.sol#L215
However, the _lockState.increaseLock function in veRAACToken.sol:::increase does not perform this check:
https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/libraries/governance/LockManager.sol#L162-L164
Attack Scenario
Step 1: An attacker locks a small amount of RAAC using lock().
Step 2: They repeatedly call increaseLock() to add more tokens.
Step 3: This increases the total locked supply beyond MAX_TOTAL_SUPPLY.
Step 4: Other users attempting to lock tokens using lock() will be reverted by the check.
Outcome: The attacker blocks other users from participating.
Impact
Denial of Service (DoS): Other users cannot lock RAAC once the total supply exceeds MAX_TOTAL_SUPPLY.
Tools Used
Manual Review
Recommended Mitigation
Add a MAX_TOTAL_SUPPLY check inside the increaseLock() function to match the validation in lock():
Lead Judging Commences
Incorrect `MAX_TOTAL_SUPPLY` check in the `veRAACToken::lock/extend` function of `veRAACToken` could harm locking functionality
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.