Incorrect Initialization of minBoost Value
Summary
BaseGauge constructor initializes staking contract with various parameters, including boost parameters. However, there is an issue with the initialization of the minBoost value, which is set to 1e18 (1 with 18 decimal places). This value is significantly larger than the maxBoost value of 25000, which is logically inconsistent and could lead to unintended behavior in the contract.
Vulnerability Details
In the constructor, the minBoost parameter is set to 1e18, while the maxBoost parameter is set to 25000. This creates a logical inconsistency because the minimum boost value should not exceed the maximum boost value. The minBoost value should be set to 10000 (representing a 1x boost) to align with the intended functionality and ensure that the boost mechanism operates correctly.
https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/governance/gauges/BaseGauge.sol#L142
Impact
Misalignment with the intended boost mechanism, which will affect user rewards and overall contract functionality.
Tools Used
Manual code review
Recommendations
To resolve this issue, the minBoost value should be set to 10000 (1x boost) to ensure logical consistency with the maxBoost value and the intended boost mechanism. The corrected code should look like this:
Lead Judging Commences
boostState.minBoost is set to 1e18
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.