Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Users can vote for multiple gauges at the same time and screw up the weights

pyro

Summary

Users can vote for multiple gauges at the same time and screw up the weights

Vulnerability Details

Currently gauge weights are user balances are broken due to another bug that must be fixed. However sill after fixing it users will still be able to
vote multiple gauges at the same time and screw up the weights and rewards.

https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/governance/gauges/GaugeController.sol#L190

function vote(address gauge, uint256 weight) external override whenNotPaused {
if (!isGauge(gauge)) revert GaugeNotFound();
if (weight > WEIGHT_PRECISION) revert InvalidWeight();
// User can vote for multiple gauges ?
// remove the weight from the old gauge
uint256 votingPower = veRAACToken.balanceOf(msg.sender);
if (votingPower == 0) revert NoVotingPower();
uint256 oldWeight = userGaugeVotes[msg.sender][gauge];
userGaugeVotes[msg.sender][gauge] = weight;
_updateGaugeWeight(gauge, oldWeight, weight, votingPower);
emit WeightUpdated(gauge, oldWeight, weight);
}

This is bad as gauge weights are meant to determine how much each gauge is in favor of the users and increase it's reward share. We can clearly see that rewards for each gauge are based off it's percentage share of the totalWeight, however if users vote for 2 their entire balances for 2 gauges at the same time their combined share will be more than totalWeight and we will distribute more rewards than necessary.

https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/governance/gauges/GaugeController.sol#L360

function _calculateReward(address gauge) internal view returns (uint256) {
Gauge storage g = gauges[gauge];
uint256 totalWeight = getTotalWeight();
if (totalWeight == 0) return 0;
// weight * 10k / total
uint256 gaugeShare = (g.weight * WEIGHT_PRECISION) / totalWeight;

Example:

  1. User has 10k voting power, total is 100k

  2. Both gauges are at 45k weight

  3. He votes for both of them

totalWeight is 100k, but the combined weight of those 2 gauges is 110k, thus both receive 55% of the rewards.

Impact

Users can vote for multiple gauges at the same time with the same weight in order to mess up the reward.

Tools Used

Manual review

Recommendations

Remove the weight from the old gauge and add it to the new one.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

GaugeController::vote lacks total weight tracking, allowing users to allocate 100% of voting power to multiple gauges simultaneously

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

GaugeController::vote lacks total weight tracking, allowing users to allocate 100% of voting power to multiple gauges simultaneously

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.