Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Zero-Amount Increase Bypasses Vote Decay Mechanism Through new Checkpoints creation

allamloqman

Summary :

The increase(0) function call allows users to maintain constant voting power by creating new checkpoints that bypass the intended linear decay of voting power over time.

Vulnerability Details :

The vulnerability exist in the increase function in the veRAACToken contract that doesn't check for Zero amount as follow :

function increase(uint256 amount) external nonReentrant whenNotPaused {

(int128 newBias, int128 newSlope) = _votingState.calculateAndUpdatePower(

msg.sender,

userLock.amount + 0, // No change in amount / amount = 0, no real increase

userLock.end

);

uint256 newPower = uint256(uint128(newBias));

_checkpointState.writeCheckpoint(msg.sender, newPower);

}

Each checkpoint stores:

Block number when created and Compressed power value at that block, so can The voting power queries use these checkpoints:

function getPastVotes(address account, uint256 blockNumber) public view returns (uint256) {

return _checkpointState.getPastVotes(account, blockNumber);

}

we can show this with a simple attack path :

User has existing lock with voting power.
Calls increase(0) multiple times.
Each call creates new checkpoint at current block.
Same voting power recorded at different blocks.

as we can see in the writeCheckpoint function in Checkpoints contract :

if (last.fromBlock > blockNumber) revert InvalidBlockOrder();

newValue = compress(op(last.value, value));

} else {

newValue = compress(value);

}

This shows that:

When in same block, it applies an operation (op) between last value and new value
When in new block, it directly compresses and stores the new value therefor the vote Power value doesn't decay as intended and Continues until lock expiry.

Impact :

[the likelihood is high so does the impact.]

The voting power influence got extended with the same initial power effectively maintaining the exact same initial power sustained until the lock period ends.

Recommendations :

Implement a strict amount validation.

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

veRAACToken::increase calculates new bias using original locked amount not accounting for decay, allowing unfair voting power boost through incremental locking

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

veRAACToken::increase calculates new bias using original locked amount not accounting for decay, allowing unfair voting power boost through incremental locking

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.