No Validation for amount Against Total Boost
Summary
The delegateBoost function checks if the user has sufficient veToken balance but does not validate whether the amount exceeds their total available boost. This could lead to inconsistencies if the boost mechanism is separate from the veToken balance.
Vulnerability Details
The function relies solely on the user's veToken balance to determine if they have sufficient boost to delegate.
If the boost mechanism is separate from the veToken balance (e.g., based on staking or other factors), this check is insufficient.
This could allow users to delegate more boost than they actually have, leading to an inflated or incorrect boost distribution.
Impact
Inconsistencies: Users may delegate more boost than they actually have, leading to inconsistencies in the system.
Exploitation: Malicious users could exploit this to delegate more boost than they are entitled to, potentially disrupting the governance process.
PoC
A user has a total boost of 100 (based on staking or other factors).
The user delegates 150 boost to another address.
The function does not validate the
amountagainst the total boost, allowing the delegation to proceed.The system now incorrectly reflects that the user has delegated 150 boost, even though they only have 100.
Tools Used
Manual Review
Recommendations
Add a check to ensure the amount does not exceed the user's total available boost:
Lead Judging Commences
BoostController::delegateBoost lacks total delegation tracking, allowing users to delegate the same veTokens multiple times to different pools for amplified influence and rewards
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.