Summary

There is no timelock present in getting raactoken so for example - a user can get raactoken basically for free as crvusd - rtoken -- rtoken - detoken(1:1)-- detoken+raactoken - rtoken(1:1 + raac rewards) then finally rtoken to crvtoken back technically this can happen with almost 0 cost(gas cost and a little bit less crvusdback(that depends too on the market a user can get more too) but a attacker can use this setup to completely dos the veraac token contract heres how -

Vulnerability Details

lets assume an attacker did all of this and got x amount of raacrewards now the attacker uses the function lock
https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/tokens/veRAACToken.sol#L212
so the max amount which can be lockedis */````uint256 public constant MAX_TOTAL_LOCKED_AMOUNT = 1_000_000_000e18;

now adding on this there is a bug(a user error but can be used to dos) in the function lock if called again and again it will overight but in https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/libraries/governance/LockManager.sol#L139

state.totalLocked += amount;even after overighting this will keep increasing so a malicious user can use the 2 methods above one of getting raac rewards for cheap (sweep them whenever there is a ton of raac in stability pool and to do this they will just spend very little this too rare) get a ton of raac accumulate it and then keep overighting there own lock and keep increasing this state.totalLocked += amount;

hence creating a state where the raac tokens are forever locked in the contract and all the functionalities of goverance are dosed as there is no way to get them back as ```uint256 public constant MAX_TOTAL_LOCKED_AMOUNT = 1_000_000_000e18;`this will get hit and there will be no way to unlock this amount of raac

Impact
complete dos of the veraactoken contract

Tools Used
manual review

Recommendations
dont let overight a lock