Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Users can delegate the same tokens to an infinite number of users at the same time

OpaBatyo

Summary

Users can delegate boost using the same tokens to an infinite number of users at the same time.

Vulnerability Details

The BoostController allows people to delegate a boost to another user:

function delegateBoost(
address to,
uint256 amount,
uint256 duration
) external override nonReentrant {
if (paused()) revert EmergencyPaused();
if (to == address(0)) revert InvalidPool();
if (amount == 0) revert InvalidBoostAmount();
if (duration < MIN_DELEGATION_DURATION || duration > MAX_DELEGATION_DURATION)
revert InvalidDelegationDuration();
uint256 userBalance = IERC20(address(veToken)).balanceOf(msg.sender);
if (userBalance < amount) revert InsufficientVeBalance();
UserBoost storage delegation = userBoosts[msg.sender][to];
if (delegation.amount > 0) revert BoostAlreadyDelegated();
delegation.amount = amount;
delegation.expiry = block.timestamp + duration;
delegation.delegatedTo = to;
delegation.lastUpdateTime = block.timestamp;
emit BoostDelegated(msg.sender, to, amount, duration);
}

But during boost delegation there is no lockup of the user's tokens or any limitation on number of addresses the boost is delegated to. This is an issue since if a user owns multiple accounts with locked tokens, they can use each account to delegate boost the rest of their accounts and exponentially increase their boosts.

Alice can have 10 accounts and with each account delegate her boost to the other 9. With each new account she makes and repeats this she will get exponentially more boosts on all of them.

The system is trying to mimic and achieve Curve style boost delegations, but in Curve:

  1. When you delegate boost to someone, it reduces your available boost that can be delegated to others

  2. The total boost you can delegate across all addresses is capped by your actual token holdings

  3. The delegated boost is tracked and accounted for to prevent "double-spending" of boost power

In RAAC's implementation, there is a significant deviation by allowing users to delegate boost the same tokens to multiple accounts, regardless of the total boost delegated, which is a concern since:

  1. It could lead to boost power inflation, where users can effectively multiply their influence beyond their actual token holdings

  2. It breaks the economic assumptions about boost scarcity and value

  3. It could potentially be exploited to manipulate voting or reward systems that depend on boost calculations

Impact

Multiple impacts:

  1. It could lead to boost power inflation, where users can effectively multiply their influence beyond their actual token holdings

  2. It breaks the economic assumptions about boost scarcity and value

  3. It could potentially be exploited to manipulate voting or reward systems that depend on boost calculations

The RAAC protocol is supposed mimic and achieve Curve style boost delegations but fails to do so in the way it's implemented. No boost scarcity and value exists.

Tools Used

Manual Review

Recommendations

Cap the total boost users can delegate across all addresses by actual token holdings or already used up boost delegations.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BoostController::delegateBoost lacks total delegation tracking, allowing users to delegate the same veTokens multiple times to different pools for amplified influence and rewards

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!