Submission Details
Severity:
Improper handling of `state.totalLocked` variable
Summary
The state.totalLocked variable tracks the total amount of RAAC tokens locked across all user positions. However, when users withdraw their tokens after the lock duration expires, the withdrawn amount is not deducted from state.totalLocked.
Vulnerability Details
As we see there in withdraw function from veRAACToken contract there is no initiative to deduct the amount withdrawn.
function withdraw() external nonReentrant {
LockManager.Lock memory userLock = _lockState.locks[msg.sender];
if (userLock.amount == 0) revert LockNotFound();
if (block.timestamp < userLock.end) revert LockNotExpired();
uint256 amount = userLock.amount;
uint256 currentPower = balanceOf(msg.sender);
// Clear lock data
delete _lockState.locks[msg.sender];
delete _votingState.points[msg.sender];
// Update checkpoints
_checkpointState.writeCheckpoint(msg.sender, 0);
// Burn veTokens and transfer RAAC
_burn(msg.sender, currentPower);
raacToken.safeTransfer(msg.sender, amount);
emit Withdrawn(msg.sender, amount);
}
Impact
Inaccurate Tracking: state.totalLocked becomes inflated, no longer reflecting the actual locked token balance.
Tools Used
Manual audit
Recommendations
function withdraw() external nonReentrant {
LockManager.Lock memory userLock = _lockState.locks[msg.sender];
if (userLock.amount == 0) revert LockNotFound();
if (block.timestamp < userLock.end) revert LockNotExpired();
uint256 amount = userLock.amount;
uint256 currentPower = balanceOf(msg.sender);
_lockState.totalLocked -= userLock.amount ; // Fix
// Clear lock data
delete _lockState.locks[msg.sender];
delete _votingState.points[msg.sender];
// Update checkpoints
_checkpointState.writeCheckpoint(msg.sender, 0);
// Burn veTokens and transfer RAAC
_burn(msg.sender, currentPower);
raacToken.safeTransfer(msg.sender, amount);
emit Withdrawn(msg.sender, amount);
}
Updates
Lead Judging Commences
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
veRAACToken::withdraw / emergencyWithdraw doesn't substract the `_lockState.totalLocked`
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
veRAACToken::withdraw / emergencyWithdraw doesn't substract the `_lockState.totalLocked`
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.