Double-balance attack in GaugeController allows user to use same balance to vote in different Gauges
Vulnerability Details
The vote() function takes a user's voting power based on their veRAACToken balance:
However, when users vote for different gauges, there's no mechanism to track the total amount of voting power they've used across all gauges. The contract only tracks individual gauge votes in userGaugeVotes[msg.sender][gauge].
This means a user with X amount of veRAACToken balance could potentially:
Vote with weight 10000 (max) for Gauge A
Vote with weight 10000 (max) for Gauge B
Vote with weight 10000 (max) for Gauge C And so on, effectively multiplying their voting power across multiple gauges.
Impact
Users exceed 100% of their voting power across multiple gauges, which could lead to disproportionate influence over the emission distribution.
Tools Used
Manual Review
Recommendations
Track the total voting power used across all gauges for each user and ensure that the sum of a user's votes across all gauges cannot exceed their total voting power.
Lead Judging Commences
GaugeController::vote lacks total weight tracking, allowing users to allocate 100% of voting power to multiple gauges simultaneously
GaugeController::vote lacks total weight tracking, allowing users to allocate 100% of voting power to multiple gauges simultaneously
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.