Submission Details
Severity:
`BaseGauge::_getBaseWeight` has wrong implementation
Summary
BaseGauge::_getBaseWeight has wrong implementation.
If we call it to get the base weight for an account, rather than getting the base weight for the account we will get the base weight for address(this)
Vulnerability Details
/**
* @notice Gets base weight for an account
* @dev Virtual function to be implemented by child contracts
* @param account Address to get weight for
* @return Base weight value
*/
function _getBaseWeight(address account) internal view virtual returns (uint256) {
return IGaugeController(controller).getGaugeWeight(address(this)); 👈👈
}
On BaseGauge::getUserWeight we can see it is passing an account address and then call _applyBoost.
But it will return the baseWeight for address(this) not for the passed account's address.
/**
* @notice Gets user's current weight including boost
* @param account Address to get weight for
* @return User's current weight
*/
function getUserWeight(address account) public view virtual returns (uint256) {
uint256 baseWeight = _getBaseWeight(account); 👈👈
return _applyBoost(account, baseWeight);
}
Impact
The function does not return the correct value as expected, as a result, it will break the protocol's functionality.
Tools Used
Manual review
Recommendations
/**
* @notice Gets base weight for an account
* @dev Virtual function to be implemented by child contracts
* @param account Address to get weight for
* @return Base weight value
*/
function _getBaseWeight(address account) internal view virtual returns (uint256) {
- return IGaugeController(controller).getGaugeWeight(address(this));
+ return IGaugeController(controller).getGaugeWeight(account);
}
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
BaseGauge._getBaseWeight ignores account parameter and returns gauge's total weight, allowing users to claim rewards from gauges they never voted for or staked in
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
BaseGauge._getBaseWeight ignores account parameter and returns gauge's total weight, allowing users to claim rewards from gauges they never voted for or staked in
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.