Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Inconsistent Boost State Updates

mibrobuba

Summary

The _updateBoostState function updates the boost state but does not ensure that the boost values are within the valid range (MIN_BOOST to MAX_BOOST). This inconsistency can lead to incorrect boost calculations, which are critical for determining rewards and voting power.

Vulnerability Details

The boost state is updated without enforcing constraints on the boost values. Specifically:

The _boostState.maxBoost and _boostState.minBoost are set during initialization but are not validated during state updates.
The calculateTimeWeightedBoost function does not explicitly clamp the boost values to the valid range.

function _updateBoostState(address user, uint256 newAmount) internal {

// Update boost calculator state

_boostState.votingPower = _votingState.calculatePowerAtTimestamp(user, block.timestamp);

_boostState.totalVotingPower = totalSupply();

_boostState.totalWeight = _lockState.totalLocked;

_boostState.updateBoostPeriod();

}

A user locks RAAC tokens and receives veRAAC tokens representing their voting power.
The boost calculation is performed to determine the user's reward multiplier.
Due to inconsistent state updates, the boost value exceeds the valid range (MIN_BOOST to MAX_BOOST), leading to incorrect rewards.

Steps to Reproduce

Deploy the veRAACToken contract with the RAAC token address.
Set MIN_BOOST = 10000 (1x) and MAX_BOOST = 25000 (2.5x).
User A locks 1000 RAAC tokens for 4 years (MAX_LOCK_DURATION).
The voting power is calculated, and veRAAC tokens are minted.
Call _updateBoostState with a large newAmount or artificially inflate the totalVotingPower and totalWeight values.

_boostState.votingPower = 1_000_000e18; // Artificially high

_boostState.totalVotingPower = 1_000_000e18; // Artificially high

_boostState.totalWeight = 1_000_000e18; // Artificially high

Call calculateBoost for User A.
Observe that the boost value exceeds MAX_BOOST (25000).

Expected Behavior

The boost value should be clamped to the valid range (MIN_BOOST to MAX_BOOST), ensuring fair and consistent rewards.

Actual Behavior

The boost value exceeds MAX_BOOST, leading to incorrect rewards and unfair advantages.

Code Example

// Simulate inconsistent boost state updates

function testInconsistentBoostState() public {

// Step 1: Deploy the contract and initialize parameters

veRAACToken veRAAC = new veRAACToken(raacTokenAddress);

// Step 2: User A locks 1000 RAAC tokens for 4 years

uint256 lockAmount = 1000e18;

uint256 lockDuration = 1460 days;

veRAAC.lock(lockAmount, lockDuration);

// Step 3: Artificially inflate boost state values

veRAAC.setBoostState(1_000_000e18, 1_000_000e18, 1_000_000e18);

// Step 4: Calculate boost for User A

(uint256 boostBasisPoints, uint256 boostedAmount) = veRAAC.calculateBoost(userA, lockAmount);

// Step 5: Verify that boost exceeds MAX_BOOST

assert(boostBasisPoints > 25000, "Boost exceeds MAX_BOOST");

}

Output

The boostBasisPoints value exceeds 25000, violating the MAX_BOOST constraint.

Impact

Incorrect Boost Calculations: If boost values exceed the valid range, users may receive incorrect rewards or voting power, leading to unfair advantages or disadvantages.
Undermined System Integrity: Incorrect boosts could undermine the trust and fairness of the governance and reward distribution mechanisms.

Tools Used

Manual Code Review

Recommendations

Emit an event when the boost state is updated to improve transparency.

Modify the calculateTimeWeightedBoost function to clamp the boost value to the valid range.

boostBasisPoints = Math.min(Math.max(boostBasisPoints, MIN_BOOST), MAX_BOOST);

Add checks in _updateBoostState to ensure boost values are within the valid range.

require(_boostState.maxBoost <= MAX_BOOST, "Boost exceeds maximum");

require(_boostState.minBoost >= MIN_BOOST, "Boost below minimum");

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.