Incorrect Supply Check in `veRAACToken::lock` Function: Comparing veRAAC Supply with RAAC Token Amounts
Summary
The lock function in the veRAACToken contract incorrectly compares the total supply of veRAAC tokens (totalSupply() + amount) against MAX_TOTAL_SUPPLY. This comparison mixes units, as totalSupply() represents veRAAC tokens, while amount represents RAAC tokens. The correct check should compare the total locked RAAC tokens (_lockState.totalLocked + amount) against MAX_TOTAL_LOCKED_AMOUNT. This issue could lead to incorrect enforcement of the maximum locked amount, potentially allowing users to lock more RAAC tokens than intended.
Vulnerability Details
The lock function enforces a maximum total supply of veRAAC tokens by checking:
However, this comparison is flawed because:
totalSupply()returns the total supply of veRAAC tokens, which are not directly equivalent to RAAC tokens.amountrepresents the amount of RAAC tokens being locked.The correct comparison should be between the total locked RAAC tokens (
_lockState.totalLocked + amount) andMAX_TOTAL_LOCKED_AMOUNT.
Impact
The incorrect comparison undermines the protocol's design, which is intended to limit the total amount of RAAC tokens that can be locked.
Tools Used
Manual Review
Recommendations
Update the lock function to compare the total locked RAAC tokens against MAX_TOTAL_LOCKED_AMOUNT.
Lead Judging Commences
`veRAACToken::lock` function doesn't check MAX_TOTAL_LOCKED_AMOUNT
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.