Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

`MAX_TOTAL_SUPPLY` can be bypassed

falendar

Summary

The veRAACToken contract's increase function lacks validation against MAX_TOTAL_SUPPLY (100M), allowing the total supply to exceed this limit through multiple increase operations.

Vulnerability Details

While the lock function properly validates against MAX_TOTAL_SUPPLY, the increase function has no such check:

function increase(uint256 amount) external nonReentrant whenNotPaused {
// Increase lock using LockManager
_lockState.increaseLock(msg.sender, amount);
_updateBoostState(msg.sender, locks[msg.sender].amount);
// Update voting power
LockManager.Lock memory userLock = _lockState.locks[msg.sender];
(int128 newBias, int128 newSlope) = _votingState.calculateAndUpdatePower(
msg.sender,
userLock.amount + amount,
userLock.end
);
// Update checkpoints
uint256 newPower = uint256(uint128(newBias));
_checkpointState.writeCheckpoint(msg.sender, newPower);
// Transfer additional tokens and mint veTokens
raacToken.safeTransferFrom(msg.sender, address(this), amount);
_mint(msg.sender, newPower - balanceOf(msg.sender));
emit LockIncreased(msg.sender, amount);
}

Example scenario:

  • Many users have locked small amounts (around 1M)

  • A user with 1M locked can increase their lock by an additional 9M

  1. Total supply is at 99M

  2. 10 users call increase with 9M each

  3. An additional 90M tokens are minted, exceeding the total supply by 89M

Impact

Core supply cap of 100M tokens can be bypassed, which breaks the tokenomics of the protocol.

Recommendations

Add MAX_TOTAL_SUPPLY validation to increase.

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

veRAACToken::increase doesn't check the token supply, making it possible to mint over the MAX

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.