Missing kick function for users without voting power in gauge controller
Summary
Analagous to how Curve exposes a function to 'kick' those users who have a boost in their working supply because they locked tokens previously and did not perform further actions after the lock expired, RAAC should expose a similar function to kick the weight users voted for a gauge in the gauge controller.
Not implementing this function allows users to vote for rewards allocations in the gauge controller without needing to lock any veToken. This occurs because the system currently uses the veToken balance as voting power instead of the bias and the slope.
Vulnerability Details
Impact
Tools Used
Manual review.
Recommendations
Store the last voting power a user used during a vote for each gauge and add a kick function, if the last voting power for the user is greater than 0 for any gauge but he doesn't hold veTokens, remove the voting power from the gauges the user allocated to.
Lead Judging Commences
GaugeController lacks mechanism to remove votes from users with expired veToken locks, allowing continued influence on reward distribution without active token commitment
GaugeController lacks mechanism to remove votes from users with expired veToken locks, allowing continued influence on reward distribution without active token commitment
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.