Missing vote delays allows manipulations on `GaugeController`
Vulnerability Details
The GaugeController needs a vote delay to prevent manipulation, this mentioned on the docs, run them as explained in the contest readme and head to:
You can also see the delays on the GaugeController itself, here.
Yet if you parse its usage you can see that they are never used. This means that the GaugeController can be manipulated.
Impact
Manipulations of results. This affects on how much rewards each Gauge receives.
Manipulation example
People need to decide whether to stake on the gauges or not, if they see a gauge getting more votes they will naturally stake there.
But at last minute, because there is no delay in voting, the votes can be greatly altered to go to another gauge, one where the attacker has more % of the stake.
There must be a level of commitment to the vote, this is why the delays are important.
Recommendations
Implement the delays, they should be at the beginning of the vote() function and be mapped to the msg.sender.
Lead Judging Commences
GaugeController::vote never enforces VOTE_DELAY or updates lastVoteTime, allowing users to spam votes and manipulate gauge weights without waiting
GaugeController::vote never enforces VOTE_DELAY or updates lastVoteTime, allowing users to spam votes and manipulate gauge weights without waiting
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.