Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Double accounting & underflow in increase function of veRaacToken leading to partial denial of service

0xmango

Summary

The increase function in veRAACToken.sol contains a logical error where the amount being added is double-counted during the accounting process. This leads to two vulnerabilities:

Excess Voting Power:
Users receive inflated voting power when using increase compared to using deposit directly.
Underflow-Induced Denial:
The same miscalculation leads to an underflow error when users attempt to perform certain sequences of increases, causing the function to revert and effectively locking users out from further increasing their stake.

Vulnerability Details

A. Double Accounting in increase Function

The core issue lies in the erroneous addition of the increase amount to the user’s accounting twice. This grants the user more voting power than intended.

Direct deposit:

veRaacToken.deposit(50e18, four_years); // -> 50e18 voting power on generated block.timestamp

Using increase (Inflated result):

veRaacToken.deposit(1, four_years);

veRaacToken.increaese(50e18 -1); // -> 99.99...e18 voting power

The second approach improperly grants nearly double the intended voting power due to the double-counting issue.

Code Location of the Typo:

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/tokens/veRAACToken.sol#L260

B. Underflow-Induced Reverts (Denial of Further Increases)

The faulty logic also causes underflows in the newBias calculation when users attempt a smaller increase after a larger one. This results in a revert and denies further interaction with the lock.

Sequence That Triggers Underflow:

Create initial Lock:

veRaacToken.deposit(1, four_years);

Increase lock by some amount:

veRaacToken.increase(20e18); // Passes, also voting power is now 39.99..e18

Try to increase lock again by an amount smaller than the previous one:

veRaacToken.increase(5e18); // Reverts due underflow.

The code assumes that the user’s balanceOf will always be larger or equal to the resulting newBias value. However, due to the previously mentioned typo, this invariant is broken, leading to a constant underflow revert for the user.

Code Location of invariant:
https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/tokens/veRAACToken.sol#L270

Impact

Voting power Inflation:

Users attain larger amounts of voting power than what their deposits should yield.

Denial of further increases:

Consequent calls to veRaacToken.increase(amount) of lower amounts will be denied.

Tools Used

Foundry

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

veRAACToken::increase doubles the voting power of users

veRAACToken::increase underflows on newPower - balanceOf(msg.sender)

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!