Core Contracts

Summary

In BoostController.sol function updateUserBoost causes the workingSupply variable to be overwritten instead of being incremented or decremented properly. It seems to be an intended behaviour, however this results in the total working supply of the pool being artificially lowered, leading to incorrect boost calculations.

Vulnerability Details

The function updateUserBoost is responsible for updating a user's boost within a pool.

This line overwrites the global workingSupply variable instead of properly accumulating or reducing the user's change in boost. This means:

1. Each time a user updates their boost, the entire pool's workingSupply is replaced with just that user's new boost value.

2. Existing contributions from other users are effectively lost, leading to an incorrectly low workingSupply value.

3. When removeBoostDelegation is called, the workingSupply is decremented without considering whose boost is being reduced.

   For example:
   3.1. Alice updates his boost.

   3.2. Bob decide to delegate boost to Alex.

   3.3. When the duration of delegated boost expires Alex calls removeBoostDelegation and the working supply set from Alice gets decreased (This issue will be reported separately)

PoC

1. Alice updates her boost to 500 → workingSupply = 500

2. Bob updates his boost to 700 → workingSupply = 700 (Alice's 500 is lost!)

3. Charlie updates his boost to 300 → workingSupply = 300 (Bob’s 700 is lost!)

This error causes the system to only consider the most recently updated user's boost, rather than the total sum of all active users' boosts.

Impact

The workingSupply will always be lower than expected, leading to incorrect boost calculations for all users in the pool.

• Users who do not frequently update their boost may not be counted at all, unfairly reducing their participation in the system.

• Boost-dependent mechanics (such as rewards and voting power) may be misallocated or exploited due to incorrect pool boost calculations.

• Malicious actors could strategically manipulate boost updates.

Tools Used

Manual review

Recommendations

Instead of overwriting workingSupply, the contract should increment or decrement the difference between the new and old boost values:

This ensures that the working supply accurately reflects all active users rather than just the most recent update.
It correctly adds new boost contributions and removes outdated ones, maintaining fairness and accuracy.
Prevents unexpected reductions in pool boost, preserving the integrity of the boost calculation system.

1. This ensures that the working supply accurately reflects all active users rather than just the most recent update.

2. It correctly adds new boost contributions and removes outdated ones, maintaining fairness and accuracy.

3. Prevents unexpected reductions in pool boost, preserving the integrity of the boost calculation system.