Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Missing Addition of Delegation Amount to Pool Boost Totals

maglov

Summary

The delegateBoost function does not update the pool's totalBoost and workingSupply when a delegation is created. However, the removeBoostDelegation function subtracts the delegation amount from these values when the delegation is removed. This inconsistency can lead to incorrect state tracking and disrupt the boost mechanics of the system.

Vulnerability Details

  • When a user delegates boost using the delegateBoost function, the delegation amount is stored in the userBoosts mapping but is not added to the pool's totalBoost and workingSupply.

  • When the delegation is removed using the removeBoostDelegation function, the delegation amount is subtracted from the pool's totalBoost and workingSupply.

  • This inconsistency means that the pool's boost totals will be understated while the delegation is active and corrected only when the delegation is removed.

Impact

  • Incorrect State Tracking: The pool's totalBoost and workingSupply will not reflect the actual boost allocations, leading to incorrect calculations and behavior.

  • System Instability: Incorrect boost totals could disrupt the governance process and lead to instability in the system.

  • User Frustration: Users may experience unexpected behavior due to incorrect boost calculations.

PoC

  1. A user delegates 100 boost to a pool using the delegateBoost function.

  2. The delegation is stored in the userBoosts mapping, but the pool's totalBoost and workingSupply are not updated.

  3. The pool's totalBoost and workingSupply remain unchanged, even though the delegation is active.

  4. When the delegation is removed using the removeBoostDelegation function, the delegation amount is subtracted from the pool's totalBoost and workingSupply.

  5. The pool's totalBoost and workingSupply are now incorrectly reduced, even though they were never increased in the first place.

Tools Used

Manual Review

Recommendations

To fix this issue, the delegateBoost function should add the delegation amount to the pool's totalBoost and workingSupply when the delegation is created. Here is the updated delegateBoost function:

function delegateBoost(
address to,
uint256 amount,
uint256 duration
) external override nonReentrant {
if (paused()) revert EmergencyPaused();
if (to == address(0)) revert InvalidPool();
if (amount == 0) revert InvalidBoostAmount();
if (duration < MIN_DELEGATION_DURATION || duration > MAX_DELEGATION_DURATION)
revert InvalidDelegationDuration();
uint256 userBalance = IERC20(address(veToken)).balanceOf(msg.sender);
if (userBalance < amount) revert InsufficientVeBalance();
UserBoost storage delegation = userBoosts[msg.sender][to];
if (delegation.amount > 0) revert BoostAlreadyDelegated();
// Add delegation amount to pool's totalBoost and workingSupply
PoolBoost storage poolBoost = poolBoosts[to];
poolBoost.totalBoost += amount;
poolBoost.workingSupply += amount;
poolBoost.lastUpdateTime = block.timestamp;
delegation.amount = amount;
delegation.expiry = block.timestamp + duration;
delegation.delegatedTo = to;
delegation.lastUpdateTime = block.timestamp;
emit BoostDelegated(msg.sender, to, amount, duration);
emit PoolBoostUpdated(to, poolBoost.totalBoost, poolBoost.workingSupply);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BoostController removes pool boost on delegation removal without adding it on delegation creation, leading to accounting inconsistencies and potential underflows

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BoostController removes pool boost on delegation removal without adding it on delegation creation, leading to accounting inconsistencies and potential underflows

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!