Lack of validation for pool address when delegating boost can lead to loss of funds or exploit of boost rewards
Vulnerability Details
Currently, the delegateBoost function in the BoostController is designed to delegate boost from one user to a pool, but it lacks validation to see whether the address to be delegated to is a supported pool:
The boost should only be allowed to be delegated to supported pools. As any address can be passed as to, two potential issues can happen here:
User delegates the funds to an untrusted entity and loses the funds or
User with X veTokens can create an infinite chain of delegations, i,e: A -> B -> C -> D -> E -> F.
Each step in the chain creates new boost power, when the original delegation expires, the chain remains active, which can lead to infinite boost multiplication.
ps: There is another issue here which is tracking the delegated amount, but this was sent in a different report.
Impact
Loss of funds for the user when the address is not from a supported pool.
Steal of boost rewards by creating a large chain of delegations.
Tools Used
Manual Review
Recommendations
Include the pool validation.
Lead Judging Commences
BoostController::delegateBoost lacks supported pool validation, allowing delegation to arbitrary addresses
BoostController::delegateBoost lacks supported pool validation, allowing delegation to arbitrary addresses
Appeal created
BoostController::delegateBoost lacks supported pool validation, allowing delegation to arbitrary addresses
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.