Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Boost Delegation Allows Invalid Recipients on BoostController

0x0107

Summary

The delegateBoost() function does not validate the recipient (to) properly, allowing users to delegate boosts to unverified addresses. This could lead to boosts being sent to malicious contracts, ineffective delegations, or self-delegations, breaking the system’s integrity.

Vulnerability Details

Vulnerable Code:

function delegateBoost(
address to,
uint256 amount,
uint256 duration
) external override nonReentrant {
if (paused()) revert EmergencyPaused();
if (to == address(0)) revert InvalidPool(); // Only checks for `0x0`
if (amount == 0) revert InvalidBoostAmount();
if (duration < MIN_DELEGATION_DURATION || duration > MAX_DELEGATION_DURATION)
revert InvalidDelegationDuration();
uint256 userBalance = IERC20(address(veToken)).balanceOf(msg.sender);
if (userBalance < amount) revert InsufficientVeBalance();
// No verification if `to` is a valid recipient
}

Problems

  • A user can delegate to an unverified or malicious contract, which could steal or misuse the boost.

  • No check to prevent self-delegation, leading to ineffective boosts.

  • Boosts can be locked in contracts that do not support retrieval, permanently losing voting power.

Impact

  • Boosts can be lost forever if sent to a malicious contract or an invalid address.

  • Users could self-delegate, causing ineffective boost calculations.

  • Boost system integrity is compromised, allowing abuse.

Tools Used

Manual review

Recommendations

  • Ensure that to is a valid pool using supportedPools[to].

  • Prevent self-delegation.

function delegateBoost(
address to,
uint256 amount,
uint256 duration
) external override nonReentrant {
if (paused()) revert EmergencyPaused();
if (!supportedPools[to]) revert PoolNotSupported(); // Ensure recipient is a valid pool
if (msg.sender == to) revert CannotSelfDelegate(); // Prevent self-delegation
// ..
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BoostController::delegateBoost lacks supported pool validation, allowing delegation to arbitrary addresses

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BoostController::delegateBoost lacks supported pool validation, allowing delegation to arbitrary addresses

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.