Missing `veRAACToken::_updateBoostState` Calls in `veRAACToken::withdraw` and `veRAACToken::extend`
Summary
The veRAACToken::_updateBoostState function, responsible for recalculating and updating the global boost-related states (e.g., totalLocked and totalVotingPower), is only invoked in veRAACToken::lock and veRAACToken::increase but is overlooked in veRAACToken::withdraw and veRAACToken::extend. As a result, the global boost state remains stale after withdrawals or lock extensions, leading to inaccurate calculations for functions reliant on this state.
Vulnerability Details
When users withdraw or extend their lock, the total locked amount and voting power parameters may change. However, veRAACToken::_updateBoostState is not called in these operations, so the global state does not reflect these new values. This discrepancy can cause reward distribution, governance calculations, or other protocol logic dependent on the global boost state to operate on outdated data.
Impact
Because the global boost state is never refreshed on withdraw and extend, the protocol can miscalculate boosts and total voting power. This may result in unfair reward allocations, skewed governance influence, or other unintended outcomes that rely on accurate global state tracking.
Tools Used
Manual review
Recommendations
Invoke _updateBoostState within veRAACToken::withdraw and veRAACToken::extend to ensure the global state accurately reflects changes in locked tokens and voting power.
Lead Judging Commences
veRAACToken::_updateBoostState not called in extend/withdraw
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.