Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Checkpointing is not handled correctly

falendar

Summary

The code uses a CheckpointState struct and PowerCheckpoint library to manage historical voting power. It tracks changes in voting power over time, allowing the retrieval of an account's voting power at a specific block.

Vulnerability Details

In the veRAACToken contract, the withdraw function updates checkpoints but the emergencyWithdraw function does not.

Impact

Missing the checkpoint in emergencyWithdraw could lead to inaccurate historical voting power, improper governance calculations, and inconsistent state between normal and emergency withdrawals.

Recommendations

Fix the emergencyWithdraw function by adding the checkpoint:

function emergencyWithdraw() external nonReentrant {
if (emergencyWithdrawDelay == 0 || block.timestamp < emergencyWithdrawDelay)
revert EmergencyWithdrawNotEnabled();
LockManager.Lock memory userLock = _lockState.locks[msg.sender];
if (userLock.amount == 0) revert NoTokensLocked();
uint256 amount = userLock.amount;
uint256 currentPower = balanceOf(msg.sender);
delete _lockState.locks[msg.sender];
delete _votingState.points[msg.sender];
+ _checkpointState.writeCheckpoint(msg.sender, 0);
_burn(msg.sender, currentPower);
raacToken.safeTransfer(msg.sender, amount);
emit EmergencyWithdrawn(msg.sender, amount);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

veRAACToken::emergencyWithdraw doesn't update checkpoint - innacurate historical voting power, inconsistent state

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.