Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Inconsistent weights in `GaugeController`

falendar

Summary

The GaugeController contract uses inconsistent decimal scaling for weights, which leads to incorrect calculations.

Vulnerability Details

Vote weights have no decimals (WEIGHT_PRECISION = 10000):

function vote(..., uint256 weight) {
if (weight > WEIGHT_PRECISION) revert InvalidWeight(); // 0-10000
}

Initial period weights have no decimals:

function addGauge(...) {
uint256 periodWeight = initialWeight == 0 ? 1 : initialWeight;
TimeWeightedAverage.createPeriod(
period,
block.timestamp,
duration,
periodWeight,
periodWeight // no decimals
);
}

Gauge weights get 18 decimals in _updateGaugeWeight:

function vote(...) {
uint256 votingPower = veRAACToken.balanceOf(msg.sender); // 18 decimals
}
function _updateGaugeWeight(..., uint256 votingPower) {
uint256 newGaugeWeight = oldGaugeWeight - (oldWeight * votingPower / WEIGHT_PRECISION)
+ (newWeight * votingPower / WEIGHT_PRECISION);
g.weight = newGaugeWeight; // 18 decimals due to votingPower
}

updatePeriod uses g.weight:

function updatePeriod(...) {
TimeWeightedAverage.createPeriod(
period,
block.timestamp + 1,
duration,
average,
g.weight // 18 decimals
);
}

There are more functions that use weights.

Impact

High: Incorrect weight scaling, leading to wrong calculations.

Recommendations

Ensure consistent decimal scaling across all weight-related operations.

Updates

Lead Judging Commences

inallhonesty Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Too generic
inallhonesty Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Too generic

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.