Low issues - DenTonylifer
[L-1] Lack of access control in recordVote()
Lack of access control in recordVote() function. Any user can modify _hasVotedOnProposal[] state variable on behalf of any voter and emit fake vote events.
Frontend or other off-chain services may display incorrect events, potentially misleading users.
Recommended to delete this unused function, because castVote in Governance.sol already tracks votes and emit events.
[L-2] Max total supply is incorrectly checked
Protocol restricts total supply of veRAACToken to be <= 100_000_000e18. But max total supply is incorrectly checked during lock creation. The check uses deposited amount of RAAC tokens instead of newPower - real amount of minted veRAACToken.
These 2 amounts will always be different, because amount of veRAACToken to mint calculated based on deposited amount and duration:
Thus if duration < MAX_LOCK_DURATION, then amount of veRAACToken to mint will always be smaller then RAAC amount. Lock creation might revert in some cases, however it shouldn't.
Recommended to check MAX_TOTAL_SUPPLY limit right before minting using newPower value.
[L-3] Max total supply is not checked during lock increasing or extending
Protocol restricts total supply of veRAACToken to be <= 100_000_000e18. Max total supply is checked during lock creation, but not during lock increasing or extending, when new tokens also minted. MAX_TOTAL_SUPPLY limit can be exceeded in some cases - when limit is reached, users can't create new locks, but they can modify existing locks and mint excessive veTokens.
Recommended to check MAX_TOTAL_SUPPLY limit in increase() and extend() functions.
[L-4] Incorrect event emitted in mintRewards function
Incorrect event emitted in mintRewards function - it emits RAAC amount transfered to user instead of RAAC amount minted. These 2 amounts will be different in most cases.
For comparison, the same event emits corrects values in tick() function:
Recommended to use toMint value instead.
[L-5] Lack of access control in checkAuctionEnded
Lack of access control in checkAuctionEnded. Any user can call checkAuctionEnded() function and emit fake events, even if auction was already ended and AuctionEnded was emited. Frontend or other off-chain services may display fake events, potentially misleading users.
Recommended to allow this function to be called only once.
Lead Judging Commences
veRAACToken::increase doesn't check the token supply, making it possible to mint over the MAX
Incorrect `MAX_TOTAL_SUPPLY` check in the `veRAACToken::lock/extend` function of `veRAACToken` could harm locking functionality
RAACMinter.mintRewards() emits incorrect event value when called
suggestion is something that is done by ERC20.mint() function
veRAACToken::recordVote lacks access control, allowing anyone to emit fake events
veRAACToken::increase doesn't check the token supply, making it possible to mint over the MAX
Incorrect `MAX_TOTAL_SUPPLY` check in the `veRAACToken::lock/extend` function of `veRAACToken` could harm locking functionality
RAACMinter.mintRewards() emits incorrect event value when called
suggestion is something that is done by ERC20.mint() function
veRAACToken::recordVote lacks access control, allowing anyone to emit fake events
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.