Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Incorrect Initialization of minBoost in BaseGauge Constructor Breaks Core Contract Functionality

godwinx

Summary

In the BaseGauge contract, the boostState.minBoost variable is initialized to 1e18, which is significantly larger than boostState.maxBoost (initialized to 25000). This inconsistency causes the getUserWeight function to revert with overflow/underflow errors when calculating boosts.

Vulnerability Details

The issue cascades into other core functions:

  1. earned: This function relies on getUserWeight to calculate rewards. Since getUserWeight reverts, earned also reverts.

  2. _updateReward: This function relies on earned to update user rewards. Since earned reverts, _updateReward also breaks.

As a result, the core functionality of the contract is severely impacted, making it impossible to calculate or update rewards for users.

Impact

  • The getUserWeight function always reverts, making it impossible to retrieve a user's weight with boost applied.

  • The earned function reverts, breaking reward calculations.

  • The _updateReward function reverts, preventing reward updates for users.

  • This breaks core functionality of the contract, including reward distribution and user state management.

Steps to Reproduce:

  1. Deploy the BaseGauge contract.

  2. Call the getUserWeight function for any user.

    • Observe that the transaction reverts with an overflow/underflow error.

  3. Call the earned function for any user.

    • Observe that the transaction reverts because it depends on getUserWeight.

Root Cause:

The root cause is the incorrect initialization of boostState.minBoost in the BaseGauge constructor. The value 1e18 is not a valid basis points value and is much larger than boostState.maxBoost (25000). This inconsistency causes the boost calculation logic to fail, which cascades into other dependent functions.

Tools Used

Foundry Test

manual code review

Recommendations

Update the initialization of boostState.minBoost to a valid basis points value, such as 10000 (100%). This ensures that minBoost is smaller than maxBoost and aligns with the expected basis points scale.

// Fix: Initialize minBoost to 10000 (100%)
boostState.minBoost = 10000;

Code Snippets:

// Initialize boost parameters
boostState.maxBoost = 25000; // 2.5x
boostState.minBoost = 1e18; // Incorrect value (too large)
boostState.boostWindow = 7 days;
Fixed Code:
// Initialize boost parameters
boostState.maxBoost = 25000; // 2.5x
boostState.minBoost = 10000; // 1x (corrected value)
boostState.boostWindow = 7 days;

Affected Functions:

  1. getUserWeight:

function getUserWeight(address account) public view virtual returns (uint256) {
uint256 baseWeight = _getBaseWeight(account);
return _applyBoost(account, baseWeight); // Reverts due to incorrect minBoost
}

  • earned:

function earned(address account) public view returns (uint256) {
return (getUserWeight(account) *
(getRewardPerToken() - userStates[account].rewardPerTokenPaid) / 1e18
) + userStates[account].rewards; // Reverts because getUserWeight reverts
}

  • _updateReward:

function _updateReward(address account) internal {
rewardPerTokenStored = getRewardPerToken();
lastUpdateTime = lastTimeRewardApplicable();
if (account != address(0)) {
UserState storage state = userStates[account];
state.rewards = earned(account); // Reverts because earned reverts
state.rewardPerTokenPaid = rewardPerTokenStored;
state.lastUpdateTime = block.timestamp;
emit RewardUpdated(account, state.rewards);
}
}

Additional Considerations:

  1. Documentation: Clearly document that maxBoost and minBoost are defined in basis points (where 10000 = 100%).

  2. Validation: Add checks in the constructor to ensure maxBoost > minBoost.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

boostState.minBoost is set to 1e18

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!