Submission Details
Severity:
Users can manipulate gouge weight and rewards
Summary
Users can manipulate gouge weight and rewards
Vulnerability Details
Votes do not add up, instead the gauge global value is overwritten inside _updateGaugeWeight, meaning that each individual vote will overwrite the rest and determine the new gauge weight.
function _updateGaugeWeight( ... ) internal {
Gauge storage g = gauges[gauge];
uint256 oldGaugeWeight = g.weight;
// g.weight - (oldWeight * votingPower / 10k) + (newWeight * votingPower / 10k)
uint256 newGaugeWeight = oldGaugeWeight - (oldWeight * votingPower / WEIGHT_PRECISION)
+ (newWeight * votingPower / WEIGHT_PRECISION);
g.weight = newGaugeWeight;
g.lastUpdateTime = block.timestamp;
}
Users can manipulate the rewards, as each gauge weight is responsible for it's share of the rewards
function _calculateReward(address gauge) internal view returns (uint256) {
Gauge storage g = gauges[gauge];
uint256 totalWeight = getTotalWeight();
if (totalWeight == 0) return 0;
// weight * 10k / total
uint256 gaugeShare = (g.weight * WEIGHT_PRECISION) / totalWeight;
Impact
Users can manipulate the rewards, by increasing or decreasing them for each gauge they chose.
Tools Used
Manual review
Recommendations
Make sure to add up the votes:
- g.weight = newGaugeWeight;
+ g.weight += newGaugeWeight;
Updates
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.