Core Contracts

Finding Description and Impact

The calculateBoost function in the the contract BoostController calls BoostCalculator.calculateTimeWeightedBoost, but the parameters passed do not align correctly with the expected function signature.

The function signature of calculateTimeWeightedBoost in BoostCalculator.sol is:

However, the call in calculateBoost is:

Here, userVotingPower is incorrectly passed as userBalance, and totalVotingPower is incorrectly passed as totalSupply. This is problematic because:

• userBalance should represent the user’s balance of veToken, not userVotingPower.

• totalSupply should represent the total supply of veToken, not totalVotingPower.

Since voting power is a time-decayed value derived from locked tokens, using it instead of actual veToken balances could lead to miscalculations in the boost formula, potentially reducing or inflating user rewards incorrectly.

Potential Impact

• Users may receive incorrect reward boosts, leading to an unfair advantage or disadvantage.

• Boost calculations may not accurately reflect users’ staked positions, distorting the intended incentive mechanism.

• If improperly exploited, users could manipulate voting power to gain a higher boost than intended.

  Potential Scenario

  1. A user locks a large amount of veToken for a short duration, resulting in high userVotingPower initially.

  2. If userVotingPower is used as userBalance, the boost calculation may overestimate the user’s weight in the pool.

  3. As userVotingPower decays over time, the boost calculation could become unpredictable and misaligned with actual token balances.

  Recommended Mitigation Steps

  1. Pass the correct values to calculateTimeWeightedBoost:

     • userBalance should be retrieved from veToken.balanceOf(user).

     • totalSupply should be retrieved from veToken.totalSupply().

  2. Explicitly document the required parameter types to prevent incorrect assumptions in future modifications.