Core Contracts

Summary

In BoostController.sol, totalBoost and workingSupply gradually decrease over time due to an imbalance in boost delegation and removal. When a user delegates boost, the recipient's boost increases, but totalBoost and workingSupply remain unchanged. However, when the delegation expires, removing the boost decreases totalBoost and workingSupply, causing a net loss of boost in the system.

Vulnerability Details

Boost delegation increases recipient's boost without adjusting totalBoost

When a user delegates boost, the recipient's boost amount increases. However, this action does not update totalBoost or workingSupply, leading to an inconsistency between individual boosts and the system-wide boost balance.

Boost removal decreases totalBoost and workingSupply, draining the system

When a delegated boost expires, the recipient can call removeBoostDelegation(). This function decreases both totalBoost and workingSupply by the delegation amount. Since delegation does not increase totalBoost but removal reduces it, the overall boost supply diminishes over time.

This imbalance allows repeated delegation and removal to progressively deplete the available boost, leading to unintended consequences in the protocol.

Impact

Boost depletion over time

As users repeatedly delegate and later remove boost, totalBoost and workingSupply continuously decrease, disrupting the protocol's intended functionality.

Unfair advantage for malicious users

Users can deliberately exploit this flaw to reduce totalBoost, weakening the boost effect for others. Since boost calculations affect rewards and governance voting, this could skew incentives and compromise the fairness of the system.

PoC

1. Assume the totalBoost and workingSupply in the protocol are 1,000 boost.
   User A has 100 boost and delegates 50 boost to User B.
   User B now has 50 boost, but totalBoost and workingSupply remain unchanged.

2. When the delegation expires, User B calls removeBoostDelegation().
   This function subtracts 50 boost from both totalBoost and workingSupply, reducing them to 950.
   The delegation process did not originally increase totalBoost, but the removal reduces it, leading to a net loss.
   The process can be repeated indefinitely, draining the system’s available boost.

Tools Used

Manual review

Recommendations

Ensure totalBoost and workingSupply remain balanced

• Modify delegateBoost to increase totalBoost and workingSupply accordingly when boost is delegated.

• Alternatively, adjust removeBoostDelegation to only cancel the delegated boost without reducing totalBoost.

• Maintain a global delegation counter to track total delegated boost and prevent excessive reductions.

Enforce correct boost accounting in updateUserBoost

• Ensure that pool boost cannot be artificially inflated or drained through repeated delegations and removals.