Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

RAACReleaseOrchestrator lacks total supply validation in updateCategoryAllocation

0xterrah

Relevant GitHub Links

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/minters/RAACReleaseOrchestrator/RAACReleaseOrchestrator.sol#L147C4-L156C6

Summary

The updateCategoryAllocation function lacks validation to ensure category allocations don't exceed total token supply.

Vulnerability Details

The function only validates that new allocation isn't below used amount but fails to check against max supply:

function updateCategoryAllocation(bytes32 category, uint256 newAllocation) external onlyRole(DEFAULT_ADMIN_ROLE) {
if (categoryAllocations[category] == 0) revert InvalidCategory();
if (newAllocation < categoryUsed[category]) revert InvalidAmount();
categoryAllocations[category] = newAllocation;
emit CategoryAllocationUpdated(category, newAllocation);
}

Impact

Admin could accidentally set category allocation higher than total supply, causing inconsistent state in allocation tracking. No impact on funds or existing vesting schedules.

Tools Used

Manual Review

Recommendations

Add max supply validation:

function updateCategoryAllocation(bytes32 category, uint256 newAllocation) external onlyRole(DEFAULT_ADMIN_ROLE) {
if (categoryAllocations[category] == 0) revert InvalidCategory();
if (newAllocation < categoryUsed[category]) revert InvalidAmount();
if (newAllocation > TOTAL_SUPPLY) revert AllocationTooHigh();
categoryAllocations[category] = newAllocation;
emit CategoryAllocationUpdated(category, newAllocation);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!