Core Contracts

Summary

The getBoostMultiplier function contains an incorrect mathematical formula that always returns the hardcoded MAX_BOOST (25000) instead of the actual boost multiplier. While this function is currently unused in the protocol, it introduces inaccurate logic that could mislead future integrations.

Vulnerability Details

In getBoostMultiplier, the boost multiplier is calculated as:

This simplifies to:

Result: The function always returns 25000 (the value of MAX_BOOST), regardless of the actual boost state.

Impact

• Current Impact: Low. The function is not used internally or externally in the current codebase, so no active systems are affected.

• Future Risk: If the function is later integrated into reward calculations or frontends, it would return incorrect data, leading to misrepresented user boosts.

• Code Quality: Introduces misleading logic that could confuse developers during future maintenance.

Severity: Low (no direct impact, but introduces a code flaw).

Tools Used

• Manual code review to trace function usage.

• Mathematical analysis of the formula.

Recommendations

1. Fix the Formula: Calculate the multiplier using the base amount without boost (e.g., stored separately or derived from veToken balances):

   uint256 baseAmount = ...; // Fetch actual base amount (e.g., from storage or external call)

   return (userBoost.amount * 10000) / baseAmount;

2. Deprecate Unused Function: If the function serves no purpose, remove it or add a deprecated tag to prevent future misuse.

3. Add Comments: Clearly document the function’s intent and limitations if retained.

While the issue is low-risk today, resolving it improves code integrity and prevents future errors.