lock could override position in `veRAACToken`
Summary
In the veRAACToken::lock function, if a user attempts to lock tokens for a second time, the new lock position overwrites the existing one. This occurs because the _lockState.createLock function does not handle multiple lock positions for the same user. As a result, users cannot create multiple lock positions, and their existing positions are lost when they attempt to lock additional tokens.
Vulnerability Details
The lock function allows users to lock tokens by specifying an amount and duration. However, the _lockState.createLock function does not support multiple lock positions for the same user. Instead, it overwrites the existing lock position when a user calls the lock function again and all locked tokens will be stucked.
Impact
Loss of Lock Positions: Users lose their existing lock positions when they attempt to lock additional tokens, resulting in a loss of tokens.
Tools Used
Manual review
Recommendations
To address this issue, veRAACToken::lock should check if there is a locked position.
Lead Judging Commences
veRAACToken::lock called multiple times, by the same user, leads to loss of funds
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.