Missing Boost State Update in Lock Extension
Summary
The extend function in the veRAACToken contract fails to update the boost state when users extend their lock duration. This oversight can lead to incorrect boost calculations and reward distributions since the boost mechanism relies on accurate state tracking.
Vulnerability Details
https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/tokens/veRAACToken.sol#L280
When users extend their lock duration through the extend function, the contract updates the lock duration and voting power but fails to call _updateBoostState. This function is crucial as it:
Updates the user's voting power in the boost state
Updates the total voting power
Updates the total weight
Updates the boost period
The _updateBoostState function is correctly called in both lock and increase functions:
Impact
-
Incorrect Boost Calculations: Functions like calculateBoost and getCurrentBoost may return incorrect values since they rely on outdated boost state data
-
Unfair Reward Distribution: Users might receive incorrect reward boosts since the boost multiplier calculations use stale data
Why high?
The bug directly affects reward calculations and distributions
The bug directly affects reward calculations and distributions
The boost mechanism is a core feature of the protocol
Recommendations
Add the missing _updateBoostState call in the extend function:
Lead Judging Commences
veRAACToken::_updateBoostState not called in extend/withdraw
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.