Submission Details
Severity:
`MIN_VOTE_DELAY` not used in `vote()` function enabling unrestricted vote spamming
Summary
The GuageController:vote() function doesn't enforce MIN_VOTE_DELAY
Vulnerability Details
The contract defines MIN_VOTE_DELAY(10 days) but fails to enforce it in the contract.
uint256 public constant MIN_VOTE_DELAY = 1 days;
The vote function contains no checks against lastUpdatedTime[msg.sender], allowing unlimited voting frequency. Attackers can manipulate gauge weights through rapid vote spamming and negligible micro-votes, destabilizing reward distributions
Impact
-
DOS legitimate voters through gas price wars for vote inclusion
Skew RWA/RAAC reward ratios to make yield farming unsustainable
Tools Used
Manual review
Recommendations
Enforce MIN_VOTE_DELAY
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
GaugeController::vote never enforces VOTE_DELAY or updates lastVoteTime, allowing users to spam votes and manipulate gauge weights without waiting
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
GaugeController::vote never enforces VOTE_DELAY or updates lastVoteTime, allowing users to spam votes and manipulate gauge weights without waiting
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.