Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Incorrect Gauge Weight Calculation in `GaugeController` Due to Changing veRAAC Voting Power

CODESPECT

Summary

In GaugeController, users vote on gauge allocations using their veRAAC balance. However, since veRAAC balances fluctuate over time, the system does not correctly account for past votes when a user re-votes for the same gauge. This leads to incorrect gauge weight calculations, causing potential inflation or under-accounting of the total voting power.

Vulnerability Details

Voting Process

Users vote for a gauge with a specified weight:

function vote(address gauge, uint256 weight) external override whenNotPaused {
if (!isGauge(gauge)) revert GaugeNotFound();
if (weight > WEIGHT_PRECISION) revert InvalidWeight();
uint256 votingPower = veRAACToken.balanceOf(msg.sender);
if (votingPower == 0) revert NoVotingPower();
uint256 oldWeight = userGaugeVotes[msg.sender][gauge];
userGaugeVotes[msg.sender][gauge] = weight; // @audit weight could be any value ≤ WEIGHT_PRECISION
// @audit Can this be done multiple times?
_updateGaugeWeight(gauge, oldWeight, weight, votingPower);
emit WeightUpdated(gauge, oldWeight, weight);
}

Gauge Weight Update

When a user votes, the gauge's total weight is updated as follows:

function _updateGaugeWeight(
address gauge,
uint256 oldWeight,
uint256 newWeight,
uint256 votingPower
) internal {
Gauge storage g = gauges[gauge];
uint256 oldGaugeWeight = g.weight;
uint256 newGaugeWeight = oldGaugeWeight - (oldWeight * votingPower / WEIGHT_PRECISION) // @audit-issue Uses current voting power instead of past value
+ (newWeight * votingPower / WEIGHT_PRECISION);
g.weight = newGaugeWeight;
g.lastUpdateTime = block.timestamp;
}

Why This Is a Problem

The issue arises because the old weight calculation uses the user’s current voting power rather than the voting power they had when they initially voted.

  • If a user’s voting power decreases between two votes, the old weight is subtracted with a smaller voting power, leading to inflated gauge weights.

  • If a user’s voting power increases, the old weight is subtracted with a larger voting power, leading to unexpectedly lower gauge weights.

  • This distorts the gauge voting system, potentially leading to misallocated rewards.

Exploit Scenario

  1. A user with 1000 veRAAC votes for a gauge with a 50% weight allocation.

  2. Later, their veRAAC balance drops to 500, and they re-vote with a different weight.

  3. The contract subtracts their old vote using their new lower balance, meaning the gauge weight does not decrease enough.

  4. The system now overestimates total gauge weight, leading to incorrect distribution of incentives.

Impact

  • Gauge weights become inaccurate, leading to unfair allocation of emissions/rewards.

  • Users can unintentionally inflate weights by voting multiple times after their voting power decreases.

  • Governance and reward distributions become unreliable, reducing the integrity of the staking mechanism.

Tools Used

N/A

Recommendations

  • Implement an epoch-based voting system, where votes are locked in for a set period before they can be modified.

  • Store historical voting power snapshots to accurately calculate old weight removal.

  • Use well-established voting mechanisms, such as those used in Velodrome Finance (Reference), which prevents weight inflation by ensuring consistent voting power during each epoch.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

GaugeController::_updateGaugeWeight uses current voting power for both old and new vote calculations, causing underflows when voting power increases and incorrect gauge weights

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

GaugeController::_updateGaugeWeight uses current voting power for both old and new vote calculations, causing underflows when voting power increases and incorrect gauge weights

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.