Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Missing Cooldown Checks Lead to Gauge Weight Exploitation

holydevoti0n

Summary

The GaugeController contract defines vote delay constants but fails to enforce them in the voting mechanism, allowing users to vote multiple times without any time restrictions between votes. This could potentially lead to vote manipulation through rapid successive voting.

Vulnerability Details

The GaugeController contract includes predefined constants for vote delays:

VOTE_DELAY

MIN_VOTE_DELAY

MAX_VOTE_DELAY

Additionally, it maintains a mapping to track users' last vote times:

/// @notice Last vote timestamp for each user

mapping(address => uint256) public lastVoteTime;

However, the contract fails to implement the actual time delay check in the voting logic. The current implementation allows users to:

Call the vote function multiple times without any time restrictions
Bypass the intended voting cooldown period
Potentially manipulate voting weights through rapid consecutive votes

Impact

Malicious users can exploit this vulnerability to rapidly change their votes, potentially manipulating gauge weights and reward distributions
Rapid voting could lead to unfair distribution of rewards and destabilize the intended tokenomics.

Tools Used

Manual Review

Recommendations

Implement the vote delay enforcement in the vote function.

function vote(address gauge, uint256 weight) external override whenNotPaused {

+ if (block.timestamp < lastVoteTime[msg.sender] + VOTE_DELAY) revert VotingTooFrequent();

+ lastVoteTime[msg.sender] = block.timestamp;

if (!isGauge(gauge)) revert GaugeNotFound();

if (weight > WEIGHT_PRECISION) revert InvalidWeight();

...

}

Create a function that allows to update VOTE_DELAY, checking whether the new value is within MIN and MAX values.

+ function setVoteDelay(uint256 newDelay) external onlyOwner {

+ if (newDelay < MIN_VOTE_DELAY || newDelay > MAX_VOTE_DELAY) {

+ revert InvalidVoteDelay();

+ }

+ VOTE_DELAY = newDelay;

+ emit VoteDelayUpdated(newDelay);

+ }

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

GaugeController::vote never enforces VOTE_DELAY or updates lastVoteTime, allowing users to spam votes and manipulate gauge weights without waiting

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

GaugeController::vote never enforces VOTE_DELAY or updates lastVoteTime, allowing users to spam votes and manipulate gauge weights without waiting

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!