`getLockedBalance` function retrieves incorrect data in veRAACToken contract
Summary
The getLockedBalance function in the veRAACToken contract incorrectly references the locks mapping instead of the _lockState.locks mapping, leading to inaccurate balance readings for locked tokens.
Vulnerability Details
The function getLockedBalance is designed to return the amount of RAAC tokens locked by a specific account.
However, it retrieves this data from the locks mapping, which is unused in the contract. The correct data source should be the _lockState.locks mapping, which contains the actual lock state. This discrepancy causes the function to return stale or zero values, even when valid locks exist in _lockState.
Impact
This bug can lead to incorrect reporting of locked balances. Users may be unable to verify their locked balances correctly, leading to confusion and potential loss of trust in the protocol.
Tools Used
Manual review
Recommendations
Update the function to reference _lockState.locks instead of locks:
Lead Judging Commences
veRAACToken::getLockEndTime and getLockedBalance returns 0 by reading from unused locks mapping instead of _lockState, making lock expiry times unavailable to clients
veRAACToken::getLockEndTime and getLockedBalance returns 0 by reading from unused locks mapping instead of _lockState, making lock expiry times unavailable to clients
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.