Core Contracts

The contract defines a constant `MAX_TOTAL_LOCKED_AMOUNT (set to 1B RAAC tokens)` intended to cap the total amount of tokens that can be locked globally. However, the `lock()` function does not include a check to ensure that the new lock does not cause the total locked tokens to exceed this limit.

In the `_initializeLockParameters()` function, the maximum total locked tokens is set:

​

_lockState.maxTotalLocked = MAX_TOTAL_LOCKED_AMOUNT; // 1B

However, in the `lock()` function, while individual lock limits and total supply limits are checked, there is no verification that the sum of all locked tokens (including the new lock) does not exceed `MAX_TOTAL_LOCKED_AMOUNT`. This absence of a check allows the possibility of locking more tokens than the protocol's defined global maximum.

​

​

​

Imagine a scenario where:

​

The protocol already has 900M RAAC tokens locked.

A new lock is created for an additional 200M tokens.

Since the `lock()` function lacks a check against `MAX_TOTAL_LOCKED_AMOUNT`, the total locked tokens would reach 1.1B, exceeding the defined cap of 1B.

This over-locking could skew the calculations for voting power, boost, and other protocol parameters that depend on the total locked amount.

​

Exceeding Intended Limits:

Users might be able to lock RAAC tokens beyond the prescribed maximum, undermining the protocol's economic constraints and potentially impacting governance, reward distribution, and risk management.

​

Disruption of Economic Model:

The global cap on locked tokens is likely designed to maintain balance in voting power and boost calculations. Exceeding this cap could distort these metrics, leading to unfair advantages or misaligned incentives.

​

Systemic Risk:

Allowing total locked tokens to surpass the defined maximum may expose the protocol to unforeseen economic vulnerabilities or market manipulations.

Implement a Global Cap Check:

Enhance the `lock()` function (or the underlying LockManager logic) to verify that the sum of currently locked tokens plus the new lock amount does not exceed `MAX_TOTAL_LOCKED_AMOUNT`. For example:

​

require(_lockState.totalLocked + amount <= _lockState.maxTotalLocked, "Total locked amount exceeds maximum limit");\

​

Update LockManager Library:

If the global total locked amount is maintained within the LockManager, ensure that all functions that modify lock positions correctly update and enforce this global cap.

​

Implement Unit Tests:

Develop tests that simulate multiple lock operations to ensure that the contract prevents locking tokens beyond the maximum global limit.

​

By addressing these recommendations, the protocol can maintain the integrity of its locked token metrics and ensure that its economic and governance models operate within the intended parameters.

​