Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

The `BoostController::userBoosts` mapping dual-purpose usage of the same data structure for both pool-specific boosts and boost delegation tracking creates miscalculations of user boosts.

0x23r0

Summary

The BoostController::userBoosts mapping dual-purpose usage of the same data structure for both pool-specific boosts and boost delegation tracking creates ambiguous state interpretations, risking miscalculations of user boosts.

Vulnerability Details

The contract employs a nested mapping userBoosts[user][contextAddress] for two fundamentally different purposes without namespace separation:

/// @notice Maps user addresses to their boost information for each pool

mapping(address => mapping(address => UserBoost)) private userBoosts; // user => pool => boost

/// @notice Maps pool addresses to their boost information

mapping(address => PoolBoost) private poolBoosts; // pool => boost

Pool-Specific Boosts
Used in functions like updateUserBoost() where contextAddress represents a pool address:

UserBoost storage userBoost = userBoosts[user][pool];
Boost Delegations
Used in delegation functions like delegateBoost() where contextAddress represents a recipient address:

UserBoost storage delegation = userBoosts[msg.sender][to];

When any address serves both as:

A supported pool (via supportedPools mapping)
A boost delegation recipient

The mapping keys collide, causing:

Overwritten Data: Delegation records overwrite pool boost data (or vice versa)
State Corruption: Both systems share the same storage slots despite representing different concepts
Logical Contradictions: Functions expecting pool context receive delegation data and vice versa

Attack Scenario Example

Admin adds 0xAAA as supported pool via modifySupportedPool()
User delegates boost to 0xAAA using delegateBoost()
The system now contains:
userBoosts[user][0xAAA] = delegation_data
When updateUserBoost(user, 0xAAA) is called:
- Accesses delegation data instead of pool boost data
- Corrupts pool boost calculations with delegation parameters

Impact

Incorrect boost multipliers lead to wrongful reward distributions

Tools Used

Manual Review

Recommendations

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

BoostController's delegation system fundamentally broken due to missing pool associations, treating recipient addresses as pools and never properly updating pool boost metrics

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!