Whenever the `increase` or `extend` function is called the calculated slope will be greater than intended or is supposed to be.
Summary
In the veRAACtoken contract everytime a core function is called, the calculateUpdateVotingPower function is called which does a few things like updating and computing the new voting power of the user and secondly what it does is that updates the slope too via the _updateSlopeChanges
Vulnerability Details
The issue in the above is that whenever the _updateSlopeChanges function will be called, it takes 4 params that are- VotingPowerState, unlockTime, oldSlope and the newSlope that was computed. The problem here is that evrytime the function is called to update the slopes, in the oldSlope param always 0 is passed which will lead to only the newSlope bieng added to the slopeChanges without the oldSlopes getting deducted from that meaning that it will lead to the incoorect slopes might also be very high slopes. and higher slopes mean that the votingPower that is supposed linearly decrease with time, will decrease a lot more faster than it should. Lets see with an example- first time i.e at the time of creating lock for the 1st time the slope was = 79274479959411. Now lets assume that the new computed slope is = 237823439878234 . Now this mapping would be updated as slope changes += newSlope i.e 79274479959411 + 237823439878234 = 317097919837645. however if the old slope was passed in: then the slopeChanges mapping would've been-: slopeChanges -= oldSlope; //79274479959411 - 79274479959411 = 0 and in the next if block slopeChanges+= newSlope i.e 0+237823439878234, now this mapping will be = 237823439878234 The difference can be seen b/w the slopes considering both the logics. But as the oldSLope is always beng passed in as 0, the update slope will always a lot higher than expected and intended
Impact
High impact because the slope is computed and is for the votingPower that is to be decreased over time accoridngly but because of aforementioned details above, this slope will always return a higher number and a higher number means the power will be decreased more quickly than it should.
Tools Used
Manual Review
Recommendations
When calling the _udpateSlopeChanges function instead of passing 0 in the oldSlope param get the oldSlope from a getter function and pass that in so that the computed slope returns corrrect values.
Code Snippets
Lead Judging Commences
veRAACToken::calculateAndUpdatePower always passes 0 for oldSlope in _updateSlopeChanges, causing slope accumulation instead of replacement and accelerated voting power decay
Informational. The slopeChanges value is incorrectly maintained but never consumed by any calculations.
veRAACToken::calculateAndUpdatePower always passes 0 for oldSlope in _updateSlopeChanges, causing slope accumulation instead of replacement and accelerated voting power decay
Informational. The slopeChanges value is incorrectly maintained but never consumed by any calculations.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.