`BaseGauge:_getBaseWeight` is broken causing incorrect reward calculation.
Summary
_getBaseWeight is using address(this) to calculate the weight instead of account.
Vulnerability Details
When a user does any operation in BaseGauge like stake,withdraw,getReward etc. the updateReward modifier is called and it will update the user reward based on stake duration and user weight for gauge. But if you look at the _getBaseWeight which is a function we call in this sequence
updateReward → earned → getUserWeight → _getBaseWeight
As you can see the code is actually trying to get the weight of address(this) in the gauge instead of the account.
Impact
This will cause the incorrect reward calculation for user and user will lose their reward.
Recommendation
Use account instead of address(this) to get the user’s gauge weight.
Lead Judging Commences
BaseGauge._getBaseWeight ignores account parameter and returns gauge's total weight, allowing users to claim rewards from gauges they never voted for or staked in
BaseGauge._getBaseWeight ignores account parameter and returns gauge's total weight, allowing users to claim rewards from gauges they never voted for or staked in
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.