Incorrect Pool Boost Retrieval in `removeBoostDelegation`
Summary
A vulnerability was identified in the removeBoostDelegation function, where the function incorrectly retrieves pool boost information using msg.sender instead of the actual pool address. This results in an unintended zeroing of values, leading to incorrect boost calculations and an inconsistent contract state.
Vulnerability Details
The function retrieves the PoolBoost struct using poolBoosts[msg.sender], assuming that msg.sender represents the pool address. However, msg.sender in this context is the user calling the function, not the pool itself. Consequently, poolBoosts[msg.sender] returns a zero-initialized PoolBoost struct, and any updates made to totalBoost and workingSupply are ineffective since they do not reference the correct pool.
Affected code: BoostController::removeDelegation
Impact
This flaw leads to:
Incorrect accounting of
totalBoostandworkingSupply, rendering boost calculations state to be incorrect.A state inconsistency where delegations are removed but the pool’s boost data remains incorrect.
Tools Used
Manual code review
Recommendations
Replace
poolBoosts[msg.sender]withpoolBoosts[pool]to ensure the correct pool's boost data is updated.
Lead Judging Commences
BoostController's delegation system fundamentally broken due to missing pool associations, treating recipient addresses as pools and never properly updating pool boost metrics
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.