Core Contracts

Summary

The BoostController.sol contract does not automatically clean up expired delegations, relying instead on manual removal via removeBoostDelegation. This can cause totalBoost to include expired boosts until they are manually removed.

Vulnerability Details

The vulnerability arises from the lack of automatic cleanup for expired boost delegations. When a boost delegation expires, it remains in the system and continues to be included in the totalBoost calculation until it is manually removed using the removeBoostDelegation function. This can lead to an inflated totalBoost value, which does not accurately reflect the current state of active boosts.

Impact

The impact of this vulnerability is significant in terms of governance and decision-making processes. An inflated totalBoost value can lead to incorrect calculations and decisions based on outdated information. This can affect the accuracy of voting power, governance proposals, and other operations that rely on the totalBoost value. Over time, the accumulation of expired boosts can lead to a significant discrepancy between the actual and reported boost values, undermining the integrity of the governance system.

Tools Used

Manual Review

Recommendations

To mitigate this vulnerability, implement an automatic cleanup mechanism for expired boost delegations. This can be achieved by periodically checking for and removing expired boosts during relevant contract interactions or by implementing a scheduled cleanup process (using a keeper). Ensuring that totalBoost accurately reflects only active boosts will maintain the integrity of the governance system and prevent potential discrepancies.