Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Unchecked Supply Cap in veRAACToken Increase Function

johnlaw

Summary

The increase function in the veRAACToken contract does not validate that newly minted veRAACTokens stay within the defined MAX_TOTAL_SUPPLY limit. Unlike other minting paths (e.g., lock()), this oversight allows an attacker to inflate the total veRAACToken supply beyond the 100 million cap.

Vulnerability Details

The increase function bypasses the supply cap by minting additional veRAACTokens without verifying the new total supply remains within the defined MAX_TOTAL_SUPPLY limit. This vulnerability violates the supply control guarantee, undermines the scarcity of veRAACTokens, and compromises the integrity of the governance mechanism. A malicious actor can exploit this by repeatedly calling the increase function with valid inputs; each call mints extra tokens until the global veRAACToken supply exceeds the maximum allowed, breaking the contract’s economic rules.

function increase(uint256 amount) external nonReentrant whenNotPaused {
// Increase the lock by adding more tokens.
_lockState.increaseLock(msg.sender, amount);
_updateBoostState(msg.sender, locks[msg.sender].amount);
// Recalculate the user's new voting power (new veRAACToken amount)
LockManager.Lock memory userLock = _lockState.locks[msg.sender];
(int128 newBias, int128 newSlope) = _votingState.calculateAndUpdatePower(
msg.sender,
userLock.amount + amount,
userLock.end
);
// Determine the new total voting power for the user.
uint256 newPower = uint256(uint128(newBias));
_checkpointState.writeCheckpoint(msg.sender, newPower);
// Calculate the additional veRAACTokens to be minted.
uint256 mintAmount = newPower - balanceOf(msg.sender);
// MISSING CHECK: There is no condition here to ensure
// (totalSupply() + mintAmount) does not exceed MAX_TOTAL_SUPPLY.
// Without this check, repeated calls to increase will inflate the total veRAACToken supply beyond the fixed cap.
// Transfer the additional RAAC tokens from the user.
raacToken.safeTransferFrom(msg.sender, address(this), amount);
// Mint the new veRAACTokens for the user.
_mint(msg.sender, mintAmount);
emit LockIncreased(msg.sender, amount);
}

Impact

This vulnerability has a critical impact as it destroys the fixed supply guarantee, which is essential for preserving token scarcity and accurate governance weight.

The issue manifests through a straightforward execution path in the increase function, making it highly probable an attacker will exploit it. Excess tokens issued will distort voting power and reward distributions across the ecosystem.

Tools Used

Manual Review

Recommendations

Implement a check within the increase function to ensure the additional minting does not cause the total supply of veRAACTokens to exceed MAX_TOTAL_SUPPLY

function increase(uint256 amount) external nonReentrant whenNotPaused {
lockState.increaseLock(msg.sender, amount);
updateBoostState(msg.sender, locks[msg.sender].amount);
LockManager.Lock memory userLock = lockState.locks[msg.sender];
(int128 newBias, int128 newSlope) = votingState.calculateAndUpdatePower(
msg.sender,
userLock.amount + amount,
userLock.end
);
uint256 newPower = uint256(uint128(newBias));
checkpointState.writeCheckpoint(msg.sender, newPower);
// Determine the additional amount of veRAACTokens to mint
uint256 mintAmount = newPower - balanceOf(msg.sender);
// Enforce the maximum total supply constraint
if (totalSupply() + mintAmount > MAX_TOTAL_SUPPLY) {
revert TotalSupplyLimitExceeded();
}
raacToken.safeTransferFrom(msg.sender, address(this), amount);
mint(msg.sender, mintAmount);
emit LockIncreased(msg.sender, amount);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

veRAACToken::increase doesn't check the token supply, making it possible to mint over the MAX

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.