Double Accounting in veRAACToken's increase() Function Leads to Inflated Voting Power
Summary
The increase() function in veRAACToken.sol has a double accounting issue where voting power is incorrectly calculated, leading to users receiving more voting power than they should when increasing their lock amount.
Vulnerability Details
In the increase() function, when calculating the new voting power after increasing a lock amount, the function incorrectly adds the additional amount to the existing lock amount twice:
https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/tokens/veRAACToken.sol#L251-#L260
First time in _lockState.increaseLock(msg.sender, amount)
Second time when calculating new voting power using userLock.amount + amount
an example assume
Initial state:
User has 1000 RAAC locked
User wants to increase by 500 RAAC
Lock duration remaining: 2 years (half of max duration)
Expected calculation:
New Amount = 1000 + 500 = 1500 RAAC
Voting Power = 1500 * (2/4) = 750 veRAAC
Actual calculation due to bug:
New Amount = 1000 + 500 = 1500 RAAC
But power calculation uses: (1500 + 500) * (2/4) = 1000 veRAAC
The user gets 1000 veRAAC instead of 750 veRAAC, a 33% increase in voting power they shouldn't have.
Impact
Users receive more voting power than intended when increasing their lock amount
thus a malicious user can use this to there advantage and mess up the whole governance by getting more power
Tools Used
manual audit
Recommendations
remove the second addition of amount when calculating new voting power.
Lead Judging Commences
veRAACToken::increase doubles the voting power of users
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.