Missing Maximum Supply Check in increase Function
Summary
The increase function in the veRAACToken contract allows users to increase their locked amount and mint additional veTokens. However, it fails to validate whether the total supply of veTokens will exceed the protocol's maximum supply limit (MAX_TOTAL_SUPPLY). This oversight will lead to the minting of tokens beyond the intended supply cap, violating the protocol's economic model.
Vulnerability Details
The vulnerability is located in the increase function:
Root Cause
The function calculates the new voting power (
newPower) based on the increased locked amount and mints the difference betweennewPowerand the user's current balance.However, it does not check whether the total supply of
veTokens(totalSupply() + (newPower - balanceOf(msg.sender))) will exceedMAX_TOTAL_SUPPLY.This allows users to mint tokens beyond the protocol's supply cap.
Impact
Supply Cap Violation:
The protocol's maximum supply limit (
MAX_TOTAL_SUPPLY) could be breached, undermining its tokenomics and design.
Tools Used
Manual Code Review
Recommendations
Add Maximum Supply Validation
Before minting newveTokens, add a check to ensure that the total supply will not exceedMAX_TOTAL_SUPPLY:
Lead Judging Commences
veRAACToken::increase doesn't check the token supply, making it possible to mint over the MAX
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.