Core Contracts

Summary:

The current implementation of the reward distribution system in the BaseGauge contract does not correctly account for users who have no staked tokens. All users, regardless of whether they have staked tokens or not, have the same weight when receiving rewards. This leads to a vulnerability where users who do not have any stake still receive rewards, even though they have no contribution to the staked amount. This is due to the fact that the getUserWeight() function retrieves the weight of the gauge via _getBaseWeight() without considering the user's actual staked amount.

Impact:

• Rewards Distribution: Users who have not staked any tokens (i.e., those with zero balance) can still receive rewards as if they were contributing to the staking pool, which results in unfair rewards allocation.

Description of the Issue:

The earned(address account) function calculates the rewards for a given user based on their weight, which is derived from the function getUserWeight(account). However, the getUserWeight(account) function returns the weight based on the result of _getBaseWeight(account) and any applied boost (via _applyBoost(account, baseWeight)).

Key Problem:

• _getBaseWeight(account) retrieves the weight of the user's gauge position, but it does not account for the actual amount of tokens staked by the user.

• As a result, users with zero staked tokens can have the same weight as users with significant staked tokens, because the weight is not adjusted to reflect the user’s actual stake.

This means that users without any staked tokens (those with zero stake) still get rewarded based on their weight calculation, which is wrong and unfair.

Expected Behavior:

• The getUserWeight(account) function should return a weight based on the user's staked amount, rather than using the gauge’s base weight which does not consider staking participation.