Gauge rewards are calculated incorrectly
Summary
BaseGauge.earned function calculates earned rewards incorrectly due to getUserWeight returning the weight of the gauge instead of the user
Details
earned is supposed to calculate the rewards due to be paid to each user by multiplying the weight of their stake by the rewardPerToken variable. However, instead of fetching the amount of the user's stake, the function calls getUserWeight(user) which returns the weight of the gauge.
As we can see from the snippet above, _getBaseWeight is passed an account input which is actually unused. All users will be assigned incorrect rewards, disregarding their staked amount. Furthermore, rewards can be stolen by anyone, even if they are not a current staker by just invoking getRewards since they will too get assigned the gauge's weight as token balance.
Impact
Theft of funds, incorrect reward distribution, broken core functionality
Mitigation
Fetch the stake of the user instead of the gauge's weight
Lead Judging Commences
BaseGauge::earned calculates rewards using getUserWeight instead of staked balances, potentially allowing users to claim rewards by gaining weight without proper reward checkpoint updates
BaseGauge::earned calculates rewards using getUserWeight instead of staked balances, potentially allowing users to claim rewards by gaining weight without proper reward checkpoint updates
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.