Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Users can `vote` all gauges with their maximum voting power

alexczm

Summary

GaugeController doesnt keep track of user's weight used to vote for gauges. Users can vote all gauges with same maxWeight.

Vulnerability Details

Users can call GaugeCOntroller::vote to allocate a weight percentage of their votingPower to desired gauge.

function vote(address gauge, uint256 weight) external override whenNotPaused {

if (!isGauge(gauge)) revert GaugeNotFound();

if (weight > WEIGHT_PRECISION) revert InvalidWeight();

uint256 votingPower = veRAACToken.balanceOf(msg.sender);

if (votingPower == 0) revert NoVotingPower();

uint256 oldWeight = userGaugeVotes[msg.sender][gauge];

userGaugeVotes[msg.sender][gauge] = weight;

@> _updateGaugeWeight(gauge, oldWeight, weight, votingPower);

emit WeightUpdated(gauge, oldWeight, weight);

}

function _updateGaugeWeight(

address gauge,

uint256 oldWeight,

uint256 newWeight,

uint256 votingPower

) internal {

Gauge storage g = gauges[gauge];

uint256 oldGaugeWeight = g.weight;

@> uint256 newGaugeWeight = oldGaugeWeight - (oldWeight * votingPower / WEIGHT_PRECISION)

+ (newWeight * votingPower / WEIGHT_PRECISION);

g.weight = newGaugeWeight;

g.lastUpdateTime = block.timestamp;

}

In _updateGaugeWeight(), the old oldWeight * votingPower / WEIGHT_PRECISION is subtracted then the new weight is added to gauge's weight : newWeight * votingPower / WEIGHT_PRECISION

Users can pass max weight = WEIGHT_PRECISION = 10_000 to vote() function and vote all gauges with their entire voting power.
Let's take the following example:

alice and bob have same amount of votingPower, 99k;
alice wants to allocate 100% of her voting power to gaugeA; she calls vote(gaugeA, 10_000) and gaugeA.weight is set to 99k.
bob vote both gauges with 100% of his voting power: gaugeB.weight is set to 99k, gaugeA.weight is updated to 198k.
when rewards are distributed, gaugeA receive 1/3 of the rewards and gaugeB receives 2/3 rewards even if both users had same amount of votingPower.

Impact

Users can allocate their voting power to all gauges.

Tools Used

Recommendations

Keep track of weight amount consumed by each users. Do not allow user's total weight to surpass WEIGHT_PRECISION = 10_000.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

GaugeController::vote lacks total weight tracking, allowing users to allocate 100% of voting power to multiple gauges simultaneously

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

GaugeController::vote lacks total weight tracking, allowing users to allocate 100% of voting power to multiple gauges simultaneously

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!