Incorrect gauge controller weight update
Summary
Users vote for the rewards allocation to each gauge in the gauge controller. The user chooses the desired weight and the power is determined by the veToken holdings. There is an issue with the math used updating the voted gauge weight when a user votes for the second time having a different voting power. The guage wieght has to be updated based on the old voting power-old weight pair and new voting power-new weight, however the code currently uses old weight-new voting power and new weight-new voting power:
This allows an arbitraguer to allocate weight to a vault without holding veTokens, follow the next rationale using and :
Where:
vp: voting power
w: weight
The wieght assigned to the gauge is and the users does not hold any veToken.
Vulnerability Details
Impact
Tools Used
Manual review.
Recommendations
Store the last voting power along with the last weight used by the user and use it instead of the new voting power to remove the previous weight allocation
Lead Judging Commences
GaugeController::_updateGaugeWeight uses current voting power for both old and new vote calculations, causing underflows when voting power increases and incorrect gauge weights
GaugeController::_updateGaugeWeight uses current voting power for both old and new vote calculations, causing underflows when voting power increases and incorrect gauge weights
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.