`getBoostMultiplier` always returns maximum boost for any non-zero value
Summary
The getBoostMultiplier function in the BoostController contract contains a critical mathematical flaw that causes any non-zero boost amount to result in the maximum boost multiplier (2.5x or 25000 basis points).
Vulnerability Details
The issue is the following:
The function attempts to calculate a boost multiplier using the ratio of
userBoost.amountto abaseAmountbaseAmountis calculated asuserBoost.amount * 10000 / MAX_BOOST(where MAX_BOOST = 25000)The final calculation
userBoost.amount * 10000 / baseAmountmathematically simplifies toMAX_BOOST
For any non-zero userBoost.amount value (let's call it x):
-
baseAmount = x * 10000 / 25000 -
Final calculation =
x * 10000 / (x * 10000 / 25000) -
Simplifying:
x * 10000 * 25000 / (x * 10000) = 25000
This means regardless of the input amount, the function will always return MAX_BOOST (25000) for any non-zero boost.
Impact
Function returns the MAX_BOOST regardless of the user's boost amount for the pool.
This can lead to miscalculation of rewards.
Tools Used
Manual Review
Recommendations
Scale the value to get the boost in basis points just once:
Lead Judging Commences
BoostController::getBoostMultiplier always returns MAX_BOOST for any non-zero boost due to mathematical calculation error, defeating the incentive mechanism
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.