Submission Details
Severity:
Incorrect Boost State Update Ordering in Lock Function
Summary
The _updateBoostState call in veRAACToken's lock function occurs before the state changes, leading to boost calculations based on outdated values
Vulnerability Details
Current implementation:
function lock(uint256 amount, uint256 duration) external nonReentrant whenNotPaused {
// Transfer tokens
// Create user's lock
_updateBoostState(); // Called too early
// Mint token
}
The boost state update uses stale values because of outdated total supply
function _updateBoostState(address user, uint256 newAmount) internal {
// Update boost calculator state
_boostState.votingPower = _votingState.calculatePowerAtTimestamp(user, block.timestamp);
@> _boostState.totalVotingPower = totalSupply();
_boostState.totalWeight = _lockState.totalLocked;
_boostState.updateBoostPeriod();
}
The veToken is not yet minted so the _boostState.totalVotingPower is incorrect
Impact
This leads to Incorrect boost multiplier calculations and Inaccurate reward distributions
Tools Used
Manual review
Recommendations
Move _updateBoostState to end of function
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
veRAACToken::_updateBoostState should be called later inside lock/increase
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.