Submission Details
Severity:
Any user can vote with any weight on any gauge in GaugeController contract, breaking core assumptions.
Summary
vote function in GaugeController contract is defined as follows:
function vote(address gauge, uint256 weight) external override whenNotPaused {
if (!isGauge(gauge)) revert GaugeNotFound();
if (weight > WEIGHT_PRECISION) revert InvalidWeight();
uint256 votingPower = veRAACToken.balanceOf(msg.sender);
if (votingPower == 0) revert NoVotingPower();
uint256 oldWeight = userGaugeVotes[msg.sender][gauge];
userGaugeVotes[msg.sender][gauge] = weight;
_updateGaugeWeight(gauge, oldWeight, weight, votingPower);
emit WeightUpdated(gauge, oldWeight, weight);
}
The only check ensures that weight argument is not greater than 10 000.
The problem arises because a user could vote with a weight of 10 000 on every gauge. This is not the expected behaviour as it breaks internal logic for weight in gauges.
Impact
The impact of this issue is high.
Tools Used
Manual review.
Recommendations
Ensure that a user can vote on various gauges but with a total voting weight of 10000.
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
GaugeController::vote lacks total weight tracking, allowing users to allocate 100% of voting power to multiple gauges simultaneously
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
GaugeController::vote lacks total weight tracking, allowing users to allocate 100% of voting power to multiple gauges simultaneously
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.