Core Contracts

Summary

**when the function earned is called for a user in a gauge to calculate user rewards, rewards are calculated based on user weights for this gauge. But when the _getBaseWeight is called to get weights to this gauge for the user, this function returns gauge contract’s g.weight from GaugeController but this should return weights to this gauge for the user. As a result, initial reward claimers will get more rewards based on gauge’s g.weight/total weight and later/end reward claimers may not get any rewards. **

Vulnerability Details

**1. Let’s assume, a gauge’s (assume gauge1) g.weight i.e total weight = 1000, a user’s weight to this gauge1 is 100 in the GaugeController contract accounting. **

**2. when the user claims the rewards from gauge1 contract, function getReward(gauge1 contract) is called which calls updateReward function for the user, updateReward function calls function earned for the user. **

**3. the function earned calls the function getUserWeight to get the user weight for this gauge1. User will get rewards based on his weights. **

4. the function getUserWeight calls _getBaseWeight function for this user. But the function _getBaseWeight calls GaugeController’s getGaugeWeight for the gauge1 address i.e GaugeController(controller).getGaugeWeight(address(this)) which returns gauge1’s g.weight i.e total weight = 1000. But it should return the user’s weight to this gauge1 i.e 100

**5. as a result, the user will get rewards based on weight 1000 and the user will get more rewards . so initial reward claimers will get more rewards and later/end reward claimers may not get any rewards. **

Impact

** initial reward claimers will get more rewards based on gauge’s g.weight/total weight and later/end reward claimers may not get any rewards. **

Tools Used

manual review

Recommendations

calculate rewards based on weights to this gauge for the user.