Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Double-Counting in Lock Amount During Power Calculation

6ixty8ty

Summary

A critical vulnerability has been identified in the increase() function in the VeRAACToken contract where the lock amount is double-counted during voting power calculation. This occurs because the amount being locked is added twice: once during the lock state update and again during the power calculation.

https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/tokens/veRAACToken.sol

problematic implementation

function increase(uint256 amount) external nonReentrant whenNotPaused {
_lockState.increaseLock(msg.sender, amount);
_updateBoostState(msg.sender, locks[msg.sender].amount);
LockManager.Lock memory userLock = _lockState.locks[msg.sender];
(int128 newBias, int128 newSlope) = _votingState.calculateAndUpdatePower(
msg.sender,
userLock.amount + amount,
userLock.end
);
// Existing code .....

Vulnerability Details

The vulnerability occurs in the following sequence:

  1. The function first updates the lock state:

_lockState.increaseLock(msg.sender, amount);

  1. Then retrieves the updated lock (which now includes the amount):

LockManager.Lock memory userLock = _lockState.locks[msg.sender];

  1. Finally, incorrectly adds the amount again during power calculation:

(int128 newBias, int128 newSlope) = _votingState.calculateAndUpdatePower(
msg.sender,
userLock.amount + amount, // amount is double-counted here
userLock.end
);

Impact

  1. Inflated voting power calculation where users receive approximately double their intended voting power

  2. Potential manipulation of governance decisions due to incorrectly calculated voting weights

Tools Used

manual review

Recommendations

  1. Remove the additional amount in the power calculation:

(int128 newBias, int128 newSlope) = _votingState.calculateAndUpdatePower(
msg.sender,
userLock.amount, // Remove + amount
userLock.end
);

  1. Alternatively, retrieve the lock state before increasing it:

LockManager.Lock memory userLock = _lockState.locks[msg.sender];
_lockState.increaseLock(msg.sender, amount);
(int128 newBias, int128 newSlope) = _votingState.calculateAndUpdatePower(
msg.sender,
userLock.amount + amount,
userLock.end
);
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

veRAACToken::increase doubles the voting power of users

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!