Delegation of boost does not take into account current boost expiration
Summary
Delegation of boost requires carefully calculating the expiry of the delegatee's boost. If a boost expires in less than a year, booster could manipulate that by setting the boost.expiry of the delegatee to the max which is 1 year, hence gaming the protocol from the boost mechanic. This could allow delegatee to hold boost longer than supposed.
Vulnerability Details
Schematic poc:
Alice delegates her boost that expires in 1 day due to her veToken unlocking
She delegates for the max period of delegation (1 year) to Bob
1 day later her boost expires, but Bob still has 1 year worth of boost even though nothing is locked in the vest
Impact
Delegatee could farm larger rewards even though no tokens are vested from the delegator.
Tools Used
Manual review
Recommendations
Before setting the expiryDate of the delegatee' boost, compare it with the delegator's unvest date.
Lead Judging Commences
BoostController delegations remain valid even when users withdraw their veRAAC tokens, allowing boost "double-spending" and undermining the economic model requiring locked tokens
BoostController delegations remain valid even when users withdraw their veRAAC tokens, allowing boost "double-spending" and undermining the economic model requiring locked tokens
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.