Core Contracts

The delegateBoost() function allows users to delegate their boost power to another user based on their veRAAC balance at the time of delegation. However, the contract does not enforce real-time balance validation when calculating boosts in updateUserBoost(). A user can delegate their entire veRAAC balance, then transfer the tokens to another address while still benefiting from the original delegation. This allows both the delegator and the recipient to simultaneously claim boosts, effectively doubling the boost rewards unfairly. The system does not check whether the delegator still holds enough veRAAC to support the delegated boost, leading to reward inflation. Attackers can repeat this process by cycling veRAAC between wallets to exploit the reward system.

Later, when updateUserBoost() is called, it applies the delegated boost without ensuring the user still holds veRAAC, allowing the exploit.

Attack Scenario

• User A has 1000 veRAAC tokens and stakes liquidity in Pool X.

• User A calls delegateBoost(User B, 1000, 30 days), delegating their full balance.

• User A transfers their veRAAC to another wallet (User C).

• User A calls updateUserBoost(), but their previous delegation remains counted.

• The system does not properly check if User A’s veRAAC balance has changed since delegation.

• Both User A and User B receive boosts, effectively doubling the boost effect.

• Over time, this can be repeated by transferring veRAAC back and forth between wallets.

Impact

Users can illegitimately claim more rewards than they are entitled to by transferring veRAAC after delegation, leading to economic imbalance and reward pool depletion.

Mitigation

Require real-time veRAAC balance checks in updateUserBoost() before applying boosts to prevent delegated boosts from exceeding a user’s actual holdings.