Core Contracts

Summary

In contracts/interfaces/core/governance/IBoostController.sol, the error PoolNotSupported is documented to occur when a pool is not in the supported pools list. However, in contracts/core/governance/boost/BoostController.sol, this error is actually triggered when an attempt is made to modify a pool's support status, but the status remains unchanged.

Vulnerability Details

The function modifySupportedPool is implemented as follows:

This logic indicates that PoolNotSupported is reverted when the pool's current support status is the same as the requested status, rather than when the pool is not in the supported pools list. This discrepancy between documentation and implementation can lead to confusion and improper handling of errors in dependent contracts.

Impact

• Misinterpretation of error handling can lead to unintended behavior in governance mechanisms.

• Smart contracts or external integrations relying on PoolNotSupported for validation might function incorrectly.

• Potential security risks if error handling is assumed incorrectly in other contract logic.

Tools Used

Manual code review.

Recommendations

• Update the Documentation: Ensure IBoostController.sol accurately reflects the actual behavior of PoolNotSupported in BoostController.sol.

• Introduce a More Descriptive Error: Consider adding a new error type, such as PoolStatusUnchanged, to clearly indicate the specific condition.

• Refactor the Function Logic (if necessary): If PoolNotSupported is meant to indicate an entirely different scenario, update the function implementation accordingly to maintain consistency.