Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Incorrect Gauge Weight Calculation Allows Voting Power Inflation `GaugeController::_updateGaugeWeight`

0x23r0

Summary

In the GaugeController contract's gauge weight update mechanism, allowing users to disproportionately influence gauge weights beyond their actual voting power. This flaw stems from the lack of validation on cumulative user votes across multiple gauges, enabling a single voter to artificially inflate the total system weight and manipulate reward distribution.

Vulnerability Details

function _updateGaugeWeight(
address gauge,
uint256 oldWeight,
uint256 newWeight,
uint256 votingPower
) internal {
Gauge storage g = gauges[gauge];
uint256 oldGaugeWeight = g.weight;
uint256 newGaugeWeight = oldGaugeWeight - (oldWeight * votingPower / WEIGHT_PRECISION)
+ (newWeight * votingPower / WEIGHT_PRECISION);
g.weight = newGaugeWeight;
g.lastUpdateTime = block.timestamp;
}

The _updateGaugeWeight function calculates gauge weights using the following logic:

newGaugeWeight = oldGaugeWeight - (oldWeight * votingPower / WEIGHT_PRECISION)
+ (newWeight * votingPower / WEIGHT_PRECISION)

Key Issue:
Users can allocate maximum weight (10000 basis points) to multiple gauges without constraints. Each full-weight vote contributes votingPower (user's veRAAC balance) to the gauge's weight. When spread across N gauges, this results in total weight contributions of N * votingPower, despite the voter only possessing votingPower tokens.

Attack Scenario:

  1. Attacker holds 100 veRAAC tokens

  2. Votes 100% weight on 10 different gauges

  3. Each gauge receives 100 * 10000/10000 = 100 weight

  4. Total system weight increases by 10 * 100 = 1000
    (10x amplification of actual voting power)

This breaks the fundamental 1:1 relationship between veToken holdings and voting influence, violating the system's design assumptions.

Impact

  • Reward Distribution Manipulation: Attackers can skew emissions toward specific gauges

  • System Weight Inflation: Artificial inflation of total weights disrupts reward calculations

Tools Used

Manual Review

Recommendation

Implement vote weight validation:

function vote(address gauge, uint256 weight) external {
// Add before existing checks
uint256 currentTotal = getTotalUserVoteWeight(msg.sender);
require(currentTotal - userGaugeVotes[msg.sender][gauge] + weight <= WEIGHT_PRECISION,
"Exceeds total voting power");
// ... rest of function
}
function getTotalUserVoteWeight(address user) public view returns (uint256) {
uint256 total;
for (uint i = 0; i < _gaugeList.length; i++) {
total += userGaugeVotes[user][_gaugeList[i]];
}
return total;
}

This ensures the sum of a user's votes across all gauges never exceeds 100% (10000 basis points), preserving the 1:1 voting power relationship.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

GaugeController::vote lacks total weight tracking, allowing users to allocate 100% of voting power to multiple gauges simultaneously

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

GaugeController::vote lacks total weight tracking, allowing users to allocate 100% of voting power to multiple gauges simultaneously

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.