Submission Details
Severity:
Creating a lock does not check the max lock amount
Summary
Creating a lock does not check the max lock amount
Vulnerability Details
Upon increasing a lock, we have this code:
if (lock.amount + additionalAmount > state.maxLockAmount) revert AmountExceedsLimit();
The issue is that upon creating a lock, such a check is completely missing (this is on the LockManager library called):
function createLock(
LockState storage state,
address user,
uint256 amount,
uint256 duration
) internal returns (uint256 end) {
// Validation logic remains the same
if (state.minLockDuration != 0 && state.maxLockDuration != 0) {
if (duration < state.minLockDuration || duration > state.maxLockDuration)
revert InvalidLockDuration();
}
if (amount == 0) revert InvalidLockAmount();
end = block.timestamp + duration;
state.locks[user] = Lock({
amount: amount,
end: end,
exists: true
});
state.totalLocked += amount;
emit LockCreated(user, amount, end);
return end;
}
This allows any lock to be over the maximum allowed amount without any constraints.
Impact
Locks can be over the max allowed amount
Tools Used
Manual Review
Recommendations
Implement the check upon creating a lock as well
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
`veRAACToken::lock` function doesn't check MAX_TOTAL_LOCKED_AMOUNT
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.