Incorrect User Weight Calculation in BaseGauge::getUserWeight
Summary
The getUserWeight function is responsible for calculating a user's voting weight by applying a boost to their base weight. However, the function _getBaseWeight does not consider the user's actual address. Instead, it calls:
This means that instead of returning the user's actual base weight, it returns the contract’s gauge weight, leading to incorrect reward calculations in the earned function.
Vulnerability Details
The getUserWeight function incorrectly calculates user weight because _getBaseWeight() retrieves the gauge weight using address(this), instead of using the actual account parameter. This causes the function to return the contract’s total gauge weight instead of an individual user’s weight, leading to incorrect reward calculations.
This means every user gets the same base weight—the contract’s gauge weight—rather than their own gauge weight.
The earned() function relies on getUserWeight() to determine user rewards.
Since getUserWeight() returns the wrong weight, earned() calculates and distributes incorrect rewards.
Impact
Users will receive incorrect rewards because earned() relies on getUserWeight(), which returns incorrect weight values.
Tools Used
Manual Review
Recommendations
Modify _getBaseWeight() to correctly fetch the user’s individual weight:
Lead Judging Commences
BaseGauge._getBaseWeight ignores account parameter and returns gauge's total weight, allowing users to claim rewards from gauges they never voted for or staked in
BaseGauge._getBaseWeight ignores account parameter and returns gauge's total weight, allowing users to claim rewards from gauges they never voted for or staked in
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.