The usage of veToken `balanceOf` instead of actual votingPower leads to incorrect gauge reward allocation and unfair reward boost
Summary
Protocol uses the the veRaac token balanceOf() as a measure of an user's voting power. This balance doesn't decay over time, leading to unfair gauge rewards allocation and incorrect users reward boost.
Vulnerability Details
Users can lock Raac tokens to receive veRaac tokens which are used as decaying voting power.
The amount of veRaac tokens minted and initial voting power is given by the following formula:
The voting power depends on the amount of locked tokens and on the lock duration.
The voting power decays liniarely to 0 at unlock time.
The protocol uses incorrectly the initial, non decayed voting power by using the veRaacToken.balanceOf in:
BaseGaugeto boost rewardsGaugeControllerto allow users to vote gauge reward distributionBoostControllerto delegate boost and calculate boost
Users with expired lock, meaning their voting power is 0, can vote on gauge rewards distribution and to boost their rewards.
Impact
Users will use the non decaying voting power to decide how rewards are split between gauges and to boost their rewards.
Users have no incentive to lock again their Raac tokens.
Tools Used
Recommendations
Consider using getPastVotes(address account, uint256 blockNumber) to get the voting power based on checkpoints.
Each time an user extend thier lock or increase the locked amount, a new checkpoint is created, thus reflecting their latest voting power.
Lead Judging Commences
BaseGauge::_applyBoost, GaugeController::vote, BoostController::calculateBoost use balanceOf() instead of getVotingPower() for vote-escrow tokens, negating time-decay mechanism
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.