Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

User can maliciously delegate boost to countless another users, breaking the intended functionality of the BoostController.sol

4eyes

Summary

In BoostController.sol , users are allowed to delegate more boost than they own. This could lead to an inflation of delegated boost values, resulting in unintended consequences within the system.

Vulnerability Details

The contract fails to properly enforce a limit on the amount of boost a user can delegate. While it ensures that a user cannot delegate boost more than one time to a single recipient, it does not prevent them from delegating the boost multiple times to different recipients, because every time uses the veToken balance of msg.sender .

  1. Users can delegate more boost than they actually have, leading to an inflated total boost supply.

  2. The contract does not deduct the delegated amount from the sender's available boost, allowing for unlimited delegations.

function delegateBoost(
address to,
uint256 amount,
uint256 duration
) external override nonReentrant {
if (paused()) revert EmergencyPaused();
if (to == address(0)) revert InvalidPool();
if (amount == 0) revert InvalidBoostAmount();
if (duration < MIN_DELEGATION_DURATION || duration > MAX_DELEGATION_DURATION)
revert InvalidDelegationDuration();
uint256 userBalance = IERC20(address(veToken)).balanceOf(msg.sender);
if (userBalance < amount) revert InsufficientVeBalance();
UserBoost storage delegation = userBoosts[msg.sender][to];
if (delegation.amount > 0) revert BoostAlreadyDelegated();
delegation.amount = amount;
delegation.expiry = block.timestamp + duration;
delegation.delegatedTo = to;
delegation.lastUpdateTime = block.timestamp;
emit BoostDelegated(msg.sender, to, amount, duration);
}

Impact

  1. Users can manipulate the boost distribution by delegating far beyond their actual balance.

  2. Some users may receive an unfair amount of boost, affecting protocol fairness.

PoC

  1. Assume the attacker has 100 veTokens available for delegation.
    The contract checks if the user has sufficient veTokens before delegating but does not deduct delegated amounts from the available balance.

  2. The attacker starts by delegating boost to Victim A.
    Instead of being limited by their total balance, the attacker repeats the delegation to multiple addresses (Victim B, Victim C, etc.).
    Since the contract does not track already delegated boost, the attacker effectively delegates unlimited boost without restriction.

  3. The protocol now has an inflated boost supply, as multiple users receive significant amounts of boost that should not exist.
    The attacker can favor certain users or manipulate the distribution of boost in a way that was not intended.

Tools Used

Manual review

Recommendations

Enforce a Global Boost Limit:

  • Ensure that the total delegated boost cannot exceed the user's actual boost balance.

  • Deduct delegated boost from the sender’s available boost upon delegation or provide a new variable that will account for the delegated boost.

Modify delegateBoost to Track and Reduce Sender’s Boost:

  • Before delegating, check the user's total remaining boost.

  • Subtract the delegated amount from the user's available boost to prevent multiple delegations of the same amount.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BoostController::delegateBoost lacks total delegation tracking, allowing users to delegate the same veTokens multiple times to different pools for amplified influence and rewards

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!