uninitialized-state variable [veRAACToken.locks] is never initialized
Summary
The state variable locks in the veRAACToken contract is never explicitly initialized, yet it is used in several key functions. This can lead to incorrect token locking behavior and miscalculations in user balances and lock end times.
Vulnerability Details
The locks variable is designed to store information about token locks (such as the amount locked and the lock end time). However, the contract never initializes this variable. As a result, functions that rely on locks—including increase, getLockedBalance , and getLockEndTime access it in its default uninitialized state. Depending on the type, an uninitialized variable (or mapping) defaults to empty or zero values, causing:
Incorrect or zero locked balances to be returned.
Incorrect calculation of lock end times.
Potential failures in updating lock data when calling functions that modify locks (e.g., in the increase function).
Impact
The locks variable is a core component for tracking token locks, yet no initialization logic exists.
All functions relying on this variable will consistently operate on default values, leading to predictable misbehavior.
In a decentralized finance environment, even minor miscalculations can be exploited or result in significant discrepancies in user balances and governance outcomes.
Tools Used
github
Recommendations
To fix the vulnerability, ensure that the locks variable is properly initialized and maintained. Depending on its intended structure, initialization can be performed either during deployment or at the first interaction. For example, if locks is a mapping from addresses to a struct (e.g., LockInfo), then each new entry should be properly instantiated before use.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.