Core Contracts

Summary

When the gauge contract(BaseGauge.sol) is initialized, boostState.maxBoost is set to 25000 and boostState.minBoost is set to 1e18. Gauge contract’s function setBoostParameters can only be called by GaugeController contract to reset maxBoost/minBoost. But there is no way/function to call Gauge contract’s function setBoostParameters in the GaugeController contract. As a result, when boostRange = params.maxBoost - params.minBoost i.e 25000 - 1e18 is calculated in _applyBoost function , this will revert due to underflow.

Vulnerability Details

1. When the gauge contract is initialized, boostState.maxBoost is set to 25000 and boostState.minBoost is set to 1e18. Gauge contract’s function setBoostParameters can only be called by GaugeController contract to reset maxBoost/minBoost. But there is no way/function to call Gauge contract’s function setBoostParameters in the GaugeController contract.

2. when function _updateReward(gauge contract) is called , function _updateReward calls function earned which calls function getUserWeight which calls function _applyBoost where params.maxBoost is set to 25000 and params.minBoost is set to 1e18.

3. function _applyBoost calls BoostCalculator’s calculateBoost function i.e BoostCalculator.calculateBoost(

** veBalance,**

** totalVeSupply,**

** params**

** );**

**4. see library BoostCalculator’s function calculateBoost where boostRange = params.maxBoost - params.minBoost i.e boostRange = 25000 - 1e18 = −999999999999999750, so the boostRange calculation will revert due to underflow. **

5. as a result, all function execution which calls updateReward modifier will revert due to underflow.

\

Impact

all function execution which calls updateReward modifier will revert due to underflow in gauge contract because boostState.minBoost is set to 1e18 which should be set to 10000.

Tools Used

manual review

Recommendations

When the gauge contract is initialized, boostState.minBoost should be set to 10000.