Calling veRAACToken.lock() multiple times will overwrite the previously set amount
Summary
Calling veRAACToken.lock() multiple times will overwrite the previously set amount
Vulnerability Details
When user calls veRAACToken.lock(), a new Lock is created with input amount, user sends RAACTokens to contract and gets minted veRAACTokens in a 1:1 ratio. However, lock() can be called multiple times and a new Lock will be created overwriting the amount of the previous one.
When Lock finishes, user will not be able to withdraw() all the deposited RAACTokens due to overwritten value.
Impact
User could reach a point in which they cannot withdraw all the RAACTokens originally deposited or redeem or the received veRAACTokens. As they may not be familiarized with how the protocol works, the will try to enlarge their position calling lock() instead of increase()/extend(), leading to the mentioned scenario. They could also use this bug on purpose in case they want to redeem part of their veRAACTokens and hold the rest of them.
Tools Used
Manual review
Recommendations
Do not allow a user with a Lock created to call lock() function again, or allow this but the new Lock must track the accumulated amount of previous Locks, then `createLock()` function from LockManager library should be updated:
Lead Judging Commences
veRAACToken::lock called multiple times, by the same user, leads to loss of funds
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.