Boost state's current voting power is incorrectly overwritten instead of accumulated
Summary
When users lock tokens, the global boost state which is included in "boost calculations for rewards" is updated incorrectly.
Vulnerability Details
When users lock RAAC for veRAAC tokens, the global stored boost state which is responsible for boost calculations for rewards is updated. During the update, the _boostState.votingPower is overwritten with the calling user's power at the current timestamp:
This is an issue since the _boostState.votingPower varible tracks the current voting power which is a part of the global state. With the current implementation, the current voting power will always be overwritten with the last person to lock their tokens' current voting power. It should instead be incremented by that amount.
Impact
The global current voting power is always overwritten with the last person to lock tokens' current voting power, instead of accumulated.
Tools Used
Manual Review
Recommendations
Increment instead of overwrite.
Lead Judging Commences
veRAACToken::_updateBoostState sets _boostState.votingPower to individual user's voting power instead of global value, breaking boost calculations and skewing reward distributions
veRAACToken::_updateBoostState sets _boostState.votingPower to individual user's voting power instead of global value, breaking boost calculations and skewing reward distributions
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.