Users can vote to multiple gauges with max voting power
Summary
The vote function in GaugeController allows users to allocate their voting power to a gauge. However, the function does not reduce a user’s available voting power after they have voted. This allows users to vote with their full voting power on multiple gauges simultaneously, effectively duplicating their influence and manipulating the reward distribution.
Vulnerability Details
When a user votes, their voting power (veRAACToken.balanceOf(msg.sender)) is checked. However, this balance is not deducted or locked when voting, meaning the user can vote for multiple gauges with their full voting power each time. This allows a single voter to:
Vote with
WEIGHT_PRECISIONon multiple gauges.Influence multiple liquidity pools far beyond their actual veRAAC holdings.
Manipulate gauge rewards, directing an unfair amount of incentives toward certain pools.
Impact
Gauge rewards can be manipulated, allowing a malicious actor to redirect emissions unfairly.
Tools Used
Manual
Recommendations
Introduce a mechanism to track used voting power per user and ensure they cannot exceed their total balance.
Lead Judging Commences
GaugeController::vote lacks total weight tracking, allowing users to allocate 100% of voting power to multiple gauges simultaneously
GaugeController::vote lacks total weight tracking, allowing users to allocate 100% of voting power to multiple gauges simultaneously
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.