BaseGauge sets minBoost to be much larger than maxBoost allowing users get significantly larger than normal boost rewards
Summary
Min boost is much larger than max boost, leading to incorrect boost calculations, especially when totalVeSupply is 0.
Vulnerability Details
The BaseGauge contract is responsible for handling reward distribution and boost calculations for users based on their staked tokens and voting power. It utilizes the BoostCalculator library to compute boost multipliers, which are then applied to users' base weights to determine their final reward distribution. The boost calculation is governed by parameters such as maxBoost and minBoost, which define the range of possible boost multipliers.
In the BaseGauge contract, the boostState is initialized with a maxBoost of 25000 (representing a 2.5x multiplier) and a minBoost of 1e18 (representing a 1,000,000,000,000,000x multiplier). This configuration is problematic because the minBoost is set to a value much larger than the maxBoost, which contradicts the intended logic of having a minimum boost that is less than or equal to the maximum boost. This misconfiguration can lead to incorrect boost calculations, where users might receive a boost multiplier that is not within the expected range, potentially resulting in unfair reward distribution.
Proof of Concept
A user stakes tokens in the
BaseGaugecontract.The contract attempts to calculate the user's boost using the
BoostCalculator.calculateBoost()function.Due to the misconfigured
minBoostandmaxBoost, the calculated boost may exceed the intended maximum or fall below the intended minimum, leading to incorrect reward calculations.If no voting power is available,
BoostCalculator.calculateBoost()returns the minBoost amount which is extremely large and alters the calculations in_applyBoost()drastically.
Impact
Loss of funds: The incorrect configuration of boost parameters can lead to extremely unfair reward distribution among users. Users might receive more or less rewards than they are entitled to, based on their actual voting power and staked tokens. This can undermine the integrity of the reward distribution mechanism and potentially lead to disputes among users.
Tools Used
Manual Review
Recommendations
To resolve this issue, ensure that the minBoost is set to a value that is less than or equal to the maxBoost. This can be achieved by updating the initialization of boostState in the BaseGauge constructor:
Lead Judging Commences
boostState.minBoost is set to 1e18
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.