Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

BoostController returns MAX_BOOST for any non-zero boost delegation

glightspeed2

Summary

BoostController returns MAX_BOOST for any non-zero boost delegation.

Vulnerability Details

The BoostController is designed to manage boost calculations and delegations for the protocol. It implements Curve-style boost mechanics with configurable multipliers and supports pool-specific boost management.

Users can delegate their boost to a pool, and get boost multiplier for that pool.

Take a look at BoostController.getBoostMultiplier:

function getBoostMultiplier(
address user,
address pool
) external view override returns (uint256) {
if (!supportedPools[pool]) revert PoolNotSupported();
UserBoost storage userBoost = userBoosts[user][pool];
if (userBoost.amount == 0) return MIN_BOOST;
// Calculate actual boost multiplier in basis points
@> uint256 baseAmount = userBoost.amount * 10000 / MAX_BOOST;
@> return userBoost.amount * 10000 / baseAmount; // @audit will return MAX_BOOST
}

For any non-zero userBoost, multiplier is calculated as:

userBoost.amount * 10000 / baseAmount
= userBoost.amount * 10000 / (userBoost.amount * 10000 / MAX_BOOST)
= MAX_BOOST

Impact

Any non-zero delegation will result in MAX_BOOST multiplier.

Tools Used

Manual Review

Recommendations

baseAmountshould be calculated as the following:

baseAmount = poolBoost.amount * 10000 / MAX_BOOST
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BoostController::getBoostMultiplier always returns MAX_BOOST for any non-zero boost due to mathematical calculation error, defeating the incentive mechanism

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!