`veRAACToken::_lockState.totalLocked` Not Decremented on Withdraw
Summary
The smart contract increments veRAACToken::_lockState.totalLocked when a lock is created but fails to decrement it when tokens are withdrawn. This results in a persistent overcount of the total locked amount, which can misrepresent actual locked funds in the contract.
Vulnerability Details
Within the LockManager::createLock function, the line state.totalLocked += amount; correctly increases the total locked counter when a user locks tokens. However, there is no corresponding logic to reduce _lockState.totalLocked when tokens are withdrawn. Consequently, _lockState.totalLocked remains perpetually inflated.
Impact
When the global boost state is updated, it uses _lockState.totalLocked to determine the totalWeight for boost calculations. Because _lockState.totalLocked is never decremented on withdrawals, this value becomes increasingly inflated over time, causing incorrect boost calculations and potentially leading to misallocated rewards or other inaccuracies in functions that rely on the global boost state.
Tools Used
Manual review
Recommendations
Decrement _lockState.totalLocked by the lock’s amount (e.g., _lockState.totalLocked -= userLock.amount;) when users withdraw or their lock expires, ensuring the metric accurately reflects the current total locked amount.
Lead Judging Commences
veRAACToken::withdraw / emergencyWithdraw doesn't substract the `_lockState.totalLocked`
veRAACToken::withdraw / emergencyWithdraw doesn't substract the `_lockState.totalLocked`
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.