Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Incorrect Boost Multiplier Calculation

oxelmiguel

Summary

The getBoostMultiplier function in BoostController contract contains a logical flaw in its calculation of the boost multiplier. The current implementation results in the function always returning the MAX_BOOST value, regardless of the user's actual boost parameters. This issue stems from an incorrect formula and a lack of integration with the existing _calculateBoost function, which is designed to compute the boosted amount accurately.

Vulnerability Details

The vulnerability lies in the getBoostMultiplier function, specifically in the following lines:

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/governance/boost/BoostController.sol#L291

uint256 baseAmount = userBoost.amount * 10000 / MAX_BOOST;

return userBoost.amount * 10000 / baseAmount;

Issues Identified:

Incorrect Formula: The formula userBoost.amount * 10000 / baseAmount will always return MAX_BOOST because baseAmount is derived from userBoost.amount * 10000 / MAX_BOOST. This results in the numerator and denominator canceling each other out, making the function return MAX_BOOST unconditionally.
Lack of Integration with _calculateBoost: The _calculateBoost function is designed to compute the boosted amount based on user-specific parameters such as voting power, total weight, and token balances. However, the getBoostMultiplier function does not utilize this logic, leading to inaccurate results.
Logical Flaw: The function does not account for the actual boost calculation logic, which depends on dynamic factors like user balance, total supply, and voting power.

Impact

Incorrect Boost Multiplier: Users will always receive the MAX_BOOST value, regardless of their actual boost eligibility or parameters. This undermines the fairness and intended mechanics of the boost system.
Economic Imbalance: Users may receive disproportionately high rewards, leading to economic imbalances within the protocol.

POC

x = userBoost.amount * 10000

multiplier = x / x / MAX_BOOST

= x * (MAX_BOOST / x)

= (x/x) * MAX_BOOST

= MAX_BOOST // always

Tools Used

Manual code review

Recommendations

To address this vulnerability, the getBoostMultiplier function should be updated to integrate with the _calculateBoost function, which already contains the correct logic for calculating the boosted amount.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

BoostController::getBoostMultiplier always returns MAX_BOOST for any non-zero boost due to mathematical calculation error, defeating the incentive mechanism

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.