Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

User can be blocked from voting again for gauge if his voting power has increased

lyuboslav

Summary

The GaugeController contract fails to handle additional votes when a user increases their veRAACToken balance.

Vulnerability Details

Users cannot vote again on the same gauge after acquiring more veRAACTokens. The _updateGaugeWeight function assumes that the user's voting power remains unchanged between votes, leading to incorrect calculations and a revert due to overflow.

Steps to Reproduce:

Lets assume the following:

User has 1000 veRAACTokens, therefore he has a voting power of 1000.

Now lets go to the votings:

User votes for a gauge (rwaGauge) with a weight of 5000 (50%). The gauge weight increases accordingly, as expected.
After some time the user gets additional 1000 veRAACTokens.
He cast a vote for the same gauge with the same weight.
The transaction reverts

POC

Inside of GaugeController.test.js put:

describe('vulnerabilities', () => {

it('doesnt support voting for the same gauge if user gets more power', async () => {

// Start Generation Here

// User1 buys initial veRAACTokens

await veRAACToken.mint(user1.address, ethers.parseEther("1000"));

const initialVotingPower = await veRAACToken.balanceOf(user1.address);

// User1 votes for the rwaGauge

await gaugeController.connect(user1).vote(await rwaGauge.getAddress(), 5000); // 50% weight

// Start of Selection

// Validate that the gauge weight is correct

const gaugeWeight = await gaugeController.getGaugeWeight(await rwaGauge.getAddress());

const EXPECTED_WEIGHT = ethers.parseEther("1000");

expect(gaugeWeight).to.equal(EXPECTED_WEIGHT);

// User1 buys more veRAACTokens

await veRAACToken.mint(user1.address, ethers.parseEther("1000"));

await expect(

gaugeController.connect(user1).vote(await rwaGauge.getAddress(), 5000)

).to.be.revertedWithPanic('0x11');

});

Impact

Prevents users from allocating their increased voting power for the gauge weight distribution.

Tools Used

Manual review, automated unit tests

Recommendations

N/A

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

GaugeController::_updateGaugeWeight uses current voting power for both old and new vote calculations, causing underflows when voting power increases and incorrect gauge weights

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

GaugeController::_updateGaugeWeight uses current voting power for both old and new vote calculations, causing underflows when voting power increases and incorrect gauge weights

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.