Incorrect lock expiry data retrieved in `veRAACToken::getLockEndTime` function
Summary
The getLockEndTime function in the veRAACToken contract is flawed as it retrieves lock expiration data from the wrong storage location, resulting in incorrect lock end times being returned.
Vulnerability Details
The getLockEndTime function is intended to return the timestamp when a user's lock expires.
However, it incorrectly queries the locks mapping, which is not actively used in the contract. The correct data source is the _lockState.locks mapping, which holds the actual lock state. This error causes the function to return outdated or zero values, even when valid locks exist in _lockState.
Impact
This issue can mislead users about their lock expiration times, potentially causing them to miss opportunities to extend or withdraw their locks. It could also disrupt governance processes, as users may base their decisions on incorrect lock duration information.
Tools Used
Manual review
Recommendations
Modify the function to use _lockState.locks instead of locks:
Lead Judging Commences
veRAACToken::getLockEndTime and getLockedBalance returns 0 by reading from unused locks mapping instead of _lockState, making lock expiry times unavailable to clients
veRAACToken::getLockEndTime and getLockedBalance returns 0 by reading from unused locks mapping instead of _lockState, making lock expiry times unavailable to clients
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.