Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Lack of supportedPools list view in BoostController

newspacexyz

Summary

The BoostController contract does not provide an on-chain way to list all supported pools. While this is currently handled by a backend server, relying on off-chain infrastructure for essential contract functionality introduces centralization risks and potential trust issues.

Vulnerability Details

Currently, supportedPools is a mapping(address => bool), but there is no function to:

  • View all available pools.

  • Know which pools are active for boost delegation.

Due to no on-chain method to view supportedPools, Users must trust the backend to provide correct pool data.

Impact

Users are forced to trust a centralized backend rather than on-chain logic.

Tools Used

manual

Recommendations

Implement an On-Chain Function for Pool Discovery.

contract BoostController {
+ address[] private poolList;
function modifySupportedPool(address pool, bool isSupported) external onlyRole(MANAGER_ROLE) {
if (pool == address(0)) revert InvalidPool();
if (supportedPools[pool] == isSupported) revert PoolNotSupported();
supportedPools[pool] = isSupported;
if (isSupported) {
+ poolList.push(pool);
emit PoolAdded(pool);
} else {
+ for (uint256 i = 0; i < poolList.length; i++) {
+ if (poolList[i] == pool) {
+ poolList[i] = poolList[poolList.length - 1];
+ poolList.pop();
+ break;
+ }
}
emit PoolRemoved(pool);
}
}
+ function getSupportedPools() external view returns (address[] memory) {
+ return poolList;
+ }
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!