Core Contracts

Summary

The GaugeController contract allows veRAACToken holders to vote on gauges by setting a weight value between 0 and 10,000. However, there is no logic to enforce a meaningful limitation on how the weight is distributed, allowing a user to set the maximum weight (10,000) for multiple gauges without any penalty or adjustment. This flaw permits users to repeatedly apply their full voting power, thereby distorting the intended gauge weight distribution.

Vulnerability Details

In the vote function, a user can set a weight for a gauge with any value from 0 to 10,000:

There is no mechanism to constrain or normalize the sum of weights a user can assign across different gauges. For instance, a user with a balance of 1,000 veRAACTokens could cast a vote with a weight of 10,000 on Gauge A and then do the same for Gauge B. Each vote applies the full voting power:

• Gauge A Vote:

  Contribution = 10,000 x 1,000/ 10,000 = 1,000

• Gauge B Vote:

  Contribution = 10,000 x 1,000/ 10,000 = 1,000

Thus, the user’s 1,000 tokens influence two separate gauges fully, effectively doubling their impact.

Impact

• Skewed Weight Distribution: Malicious users can allocate their full voting power across multiple gauges, thereby significantly influencing reward distributions beyond what their token holdings should permit.

Tools Used

Manual Reivew

Recommendations

Implement a normalization mechanism that limits the cumulative voting weight a user can allocate across all gauges to their actual voting power. This will prevent users from applying their full balance to multiple gauges and ensure a fair distribution of influence.