Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Double-Counting of Locked Amount in increase Function

oxelmiguel

Summary

The increase function in the veRAACToken contract contains a critical bug where the additional locked amount (amount) is double-counted when calculating voting power. This results in incorrect voting power calculations and over-minting of veTokens.

Vulnerability Details

Location

The vulnerability is located in the increase function:

link

function increase(uint256 amount) external nonReentrant whenNotPaused {

// Increase lock using LockManager

_lockState.increaseLock(msg.sender, amount); // <-- Increases `userLock.amount` by `amount`

_updateBoostState(msg.sender, locks[msg.sender].amount);

// Update voting power

LockManager.Lock memory userLock = _lockState.locks[msg.sender];

(int128 newBias, int128 newSlope) = _votingState.calculateAndUpdatePower(

msg.sender,

userLock.amount + amount, // <-- Problematic line: Double-counts `amount`

userLock.end

);

// Update checkpoints

uint256 newPower = uint256(uint128(newBias));

_checkpointState.writeCheckpoint(msg.sender, newPower);

// Transfer additional tokens and mint veTokens

raacToken.safeTransferFrom(msg.sender, address(this), amount);

_mint(msg.sender, newPower - balanceOf(msg.sender)); // <-- Problematic line: Incorrect minting logic

emit LockIncreased(msg.sender, amount);

}

Root Cause

Double-Counting of amount:
- The _lockState.increaseLock function increases the user's locked amount (userLock.amount) by amount.
- Immediately after, the calculateAndUpdatePower function is called with userLock.amount + amount, which effectively adds amount twice:
  - Once in _lockState.increaseLock.
  - Again in the calculateAndUpdatePower call.
This results in the voting power being calculated based on lastLock + amount + amount instead of lastLock + amount.
Incorrect Minting Logic:
- The _mint function is called with newPower - balanceOf(msg.sender), where newPower is derived from the double-counted amount.
- This leads to over-minting of veTokens, as the voting power is artificially inflated.

Impact

Over-Minting of veTokens:
- The double-counting of amount results in newPower being larger than it should be, leading to more veTokens being minted than intended.
Economic Exploitation:
- An attacker could exploit this bug to mint excessive veTokens, gaining disproportionate voting power or rewards.

Tools Used

Manual Code Review

Recommendations

To fix the double-counting issue, the calculateAndUpdatePower function should be called with userLock.amount (amount).

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

veRAACToken::increase doubles the voting power of users

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!