Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Incorrect state update for _updateBoostState function in veRaacToken contract

olugbenga

Vulnerability Details

_updateBoostStateis called twice in veRAAC contract, inside lockand increase

function increase(uint256 amount) external nonReentrant whenNotPaused {
// Increase lock using LockManager
...
_updateBoostState(msg.sender, locks[msg.sender].amount);
....
_mint(msg.sender, newPower - balanceOf(msg.sender));
}
function lock(uint256 amount, uint256 duration) external nonReentrant whenNotPaused {
....
_updateBoostState(msg.sender, amount);
...
_mint(msg.sender, newPower);
emit LockCreated(msg.sender, amount, unlockTime);
}

We can see that _updateBoostState is called before minting in both cases.

function _updateBoostState(address user, uint256 newAmount) internal {
// Update boost calculator state
_boostState.votingPower = _votingState.calculatePowerAtTimestamp(user, block.timestamp);
// the total supply will be outdated once increase and lock functions mint
_boostState.totalVotingPower = totalSupply();
_boostState.totalWeight = _lockState.totalLocked;
_boostState.updateBoostPeriod();
}

We can also see that totalVotingPoweris set to the current totalSupply(). However, this total supply will become outdated once increase and lock functions call mint. This will lead to _boostState.totalVotingPower holding a wrong value of totalSupply.

I recommend calling _updateBoostStateafter calling mintin both lockand increasefunctions.

Impact

Wrong/Outdated value for _boostState.totalVotingPower

Tools Used
Manual

Recommendations

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

veRAACToken::_updateBoostState should be called later inside lock/increase

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!