Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Unauthorized Access in `updateUserBoost` Allows Manipulation of User Boost Data

ddeenny

Summary

The BoostController::updateUserBoost function in the BoostController contract (contracts/core/governance/boost/BoostController.sol) lacks proper access control, allowing any external caller to update boost data for any user. This vulnerability enables malicious actors to manipulate boost parameters, potentially resulting in unfair advantages and undermining the protocol's economic model.

Vulnerability Details

// @audit-issue No access control, allowing unauthorized users to modify boost values
@> function updateUserBoost(address user, address pool) external override nonReentrant whenNotPaused {
if (paused()) revert EmergencyPaused();
if (user == address(0)) revert InvalidPool();
if (!supportedPools[pool]) revert PoolNotSupported();
UserBoost storage userBoost = userBoosts[user][pool];
PoolBoost storage poolBoost = poolBoosts[pool];
uint256 oldBoost = userBoost.amount;
// Calculate new boost based on current veToken balance
uint256 newBoost = _calculateBoost(user, pool, 10000); // Base amount
userBoost.amount = newBoost;
userBoost.lastUpdateTime = block.timestamp;
// Update pool totals safely
if (newBoost >= oldBoost) {
poolBoost.totalBoost = poolBoost.totalBoost + (newBoost - oldBoost);
} else {
poolBoost.totalBoost = poolBoost.totalBoost - (oldBoost - newBoost);
}
poolBoost.workingSupply = newBoost; // Set working supply directly to new boost
poolBoost.lastUpdateTime = block.timestamp;
emit BoostUpdated(user, pool, newBoost);
emit PoolBoostUpdated(pool, poolBoost.totalBoost, poolBoost.workingSupply);
}

  • Issue:

    • The function is declared as external, meaning any account can call it.

    • There is no access control mechanism (e.g., onlyRole(MANAGER_ROLE) or require(msg.sender == user)).

    • As a result, an attacker can arbitrarily modify boost values for any user.

Impact

  • Economic Manipulation:

    • Attackers can artificially increase their boost or reduce others’ boost, skewing rewards distribution.

  • Unfair Advantage:

    • Malicious actors may gain undue benefits in reward systems or influence governance outcomes.

  • Protocol Exploitation:

    • Manipulated boost data could destabilize the protocol’s economic model, leading to financial loss for legitimate participants.

Tools Used

  • Manual Code Review

Recommendations

  • Implement Role-Based Access Control:

    • Add an access control modifier such as onlyRole(MANAGER_ROLE) to ensure that only authorized accounts can update boost data:

      function updateUserBoost(address user, address pool) external override nonReentrant whenNotPaused onlyRole(MANAGER_ROLE) {
      // ... original logic ...
      }

  • Alternative Approach:

    • If users should only update their own boost data, enforce a check to ensure that msg.sender is either the user or has the proper role:

      function updateUserBoost(address user, address pool) external override nonReentrant whenNotPaused {
      require(msg.sender == user || hasRole(MANAGER_ROLE, msg.sender), "Unauthorized");
      // ... original logic ...
      }

  • Conduct Further Testing:

    • Validate the fix with comprehensive unit tests and consider a formal audit to ensure no other functions are vulnerable to unauthorized modifications.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!