Delegation Logic is Flawed
Summary
In BoostController contract, users can delegate their boosts to other users. In delegation, an expiry date is given, and the delegated user can remove the delegation after the expiry date is over. However, there are a couple of issues concerning this logic:
The delegator cannot revoke the delegation.
The delegated user has no incentive to revoke this boost.
The
expiryfield inUserBoostis not enforced in the contract.No automatic cleanup: Expired delegations remain active unless manually removed by the delegatee.
Details
Alice delegates her boost to Bob with an expiry of 15 days by calling the delegateBoost function. Bob, after 15 days have passed, can remove this boost via calling the following function:
As it can be seen, this function can only be called by the delegated user, Bob, so, Alice cannot revoke this action. Okay. But, there is no incentive for Bob to remove the boost, they can have the boost forever. Because, why not?
The expiry is not enforced, so Bob will be boosted by Alice as long as he likes, there’s nothing anyone can do about it.
This is against the logic of delegation, and puts the delegator into a handicapped position.
Recommendation
Change the logic in a way that:
Delegators can revoke their delegations
The expiry is actually enforced
Add cleanup logic
Lead Judging Commences
BoostController: Users unable to remove their own expired boost delegations, creating dependency on recipients and preventing efficient reallocation of boosts
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.