[H-1] Incorrect Boost Multiplier Calculation Always Returns a Fixed Value
Description:
The BoostController::getBoostMultiplier function is intended to calculate a user's boost multiplier for a given pool. However, due to a miscalculation in the formula, the function always returns a fixed value of MAX_BOOST (25000) when userBoost.amount > 0, regardless of the actual userBoost.amount.
The issue arises from the calculation of baseAmount:
Since baseAmount is derived from userBoost.amount, the division cancels out the variable component, always yielding the maximum boost.
Impact:
This issue renders the function ineffective for dynamic boost calculation. Instead of varying based on the user's actual contribution, the multiplier is always the same (MAX_BOOST), making the boost logic meaningless. This could lead to incorrect reward distributions, unfair advantages, or unintended protocol behavior.
Proof of Concept:
Consider two cases to illustrate the incorrect calculation:
-
Example 1:
userBoost.amount = 20baseAmount = 20 * 10000 / 25000 = 8;multiplier = 20 * 10000 / 8 = 25000; // Always MAX_BOOST -
Example 2:
userBoost.amount = 10baseAmount = 10 * 10000 / 25000 = 4;multiplier = 10 * 10000 / 4 = 25000; // Again, always MAX_BOOSTIn both examples, the function incorrectly returns
MAX_BOOSTinstead of a value dependent onuserBoost.amount.
Recommended Mitigation:
Revise the formula to correctly calculate the boost multiplier without always defaulting to MAX_BOOST. A possible fix could involve properly normalizing userBoost.amount relative to MAX_BOOST without introducing self-canceling terms.
Lead Judging Commences
BoostController::getBoostMultiplier always returns MAX_BOOST for any non-zero boost due to mathematical calculation error, defeating the incentive mechanism
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.