Lockstate is NOT checked during Lock Creation
Summary
There is a missing lockState check in function createLock() in veRAACToken.
If the user calls the lock() twice, then it will result in his previous locked amount(amount locked during first call) to get ERASED and updated to NEW values.
Vulnerability Details
A user can lock his position for RAAC Tokens via lock() in veRAACToken contract.
In order to create a lock, it calls into createLock() in LockManager Library.
However, there is NO validation check on whether the lockState currently exists or not.
If you look into other similar functions like extend() , increase() etc. They have proper checks on the LockState, but it has NOT been done during lock creation.
If a user were to call function lock() twice, it would result in his previous locked amount getting ERASED and they'll be updated to the new values which were supplied on the second call.
This could also lead to inaccurate accounting, when interacting with other functions such as increase() or extend().
Impact
User's old locked amount may get erased
It could also result in inaccurate accounting
Tools Used
Manual
Recommendations
Consider adding this check in createLock()
Lead Judging Commences
veRAACToken::lock called multiple times, by the same user, leads to loss of funds
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.