[M-05] Unused parameter in BaseGauge's _getBaseWeight() function
Summary
The _getBaseWeight() function doesn't use the account parameter and instead uses address(this) for every call.
Vulnerability Details
The function at any given moment, will give the same result no matter the account for which the weight is asked for.
This is not the intended behaviour as it transpires from the implementation.
Impact
This mistake results in all functions that rely on _getBaseWeight() to give wrong results.
These functions include getUserWeight() and earned(), which are crucial to compute the rewards to be given to the users that interact with the gauge system of the protocol, clearly compromising its functionality.
Tools Used
Manual review.
Recommendations
Use the account address parameter instead of address(this).
Lead Judging Commences
BaseGauge._getBaseWeight ignores account parameter and returns gauge's total weight, allowing users to claim rewards from gauges they never voted for or staked in
BaseGauge._getBaseWeight ignores account parameter and returns gauge's total weight, allowing users to claim rewards from gauges they never voted for or staked in
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.