GaugeController#vote incorrectly subtracts previous weight
Summary
Vulnerability Details
Current weight is subtracted instead of the weight of at the moment of previous vote. If previous veRAAC balance was lower than the current balance, the accounting will be incorrect, resulting in too little weight for the gauge than it should be.
Proof of Concept
Let's say Alice is about to join the system, and wants to maximize her yield from gauges.
Alice mints 1 wei of veRAAC and votes for gauge G with weight = 10000
Alice mints herself 1_000e18 veRAAC and votes for gauge G with weight 0
G's weight decreases by oldWeight * votingPower / WEIGHT_PRECISION = votingPower, which is 1_000e18
In the end, Alice was able to decrease G's weight by 1_000e18. Whatever other gauge Alice stakes in, her yield will be higher, because the total sum of the weights will be 1000e18 less than if she did not execute the attack, so her gauges will get a bigger share.
Impact
Malicious users can decrease weights of gauges by the amount of their veRAAC balance, so their gauges earn more rewards.
Recommendations
Track previous veRAAC balance and subtract oldBalance * oldWeight, instead of currentBalance * oldWeight.
Lead Judging Commences
GaugeController::_updateGaugeWeight uses current voting power for both old and new vote calculations, causing underflows when voting power increases and incorrect gauge weights
GaugeController::_updateGaugeWeight uses current voting power for both old and new vote calculations, causing underflows when voting power increases and incorrect gauge weights
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.