Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Voting power loss when extending locks in `veRAACToken`

nikikiki

Summary

The extend function in veRAACToken incorrectly calculates voting power when extending lock duration by calculating power based on the remaining duration instead of the total lock duration since initial lock, leading to potential loss of voting power.

Vulnerability Details

In veRAACToken, when a user calls extend, the voting power is recalculated:

function extend(uint256 newDuration) external nonReentrant whenNotPaused {
// Extend lock using LockManager
uint256 newUnlockTime = _lockState.extendLock(msg.sender, newDuration);
// Update voting power
LockManager.Lock memory userLock = _lockState.locks[msg.sender];
(int128 newBias, int128 newSlope) = _votingState.calculateAndUpdatePower( // @audit why int128
msg.sender,
userLock.amount,
newUnlockTime
);

Example scenario:

  • User locks 100 tokens for 400 days

  • After 310 days, user extends by 10 days

  • When calculating new voting power, block.timestamp is used which results in power calculation based on only 100 days instead of 410 days total lock time

  • This leads to a lower newBias than oldPower, causing tokens to be burned incorrectly

Impact

This miscalculation can lead to an unintended reduction in voting power when users extend their locks. Instead of maintaining or increasing voting power, users may experience token burning, resulting in permanent loss of governance influence.

Recommendations

Ensure that the extend function correctly factors in the total lock duration rather than the remaining duration when recalculating voting power, preventing unnecessary token burning and power loss.

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.