Incorrect Voting Power Being Assigned in `BaseGauge.voteDirection()` and `GaugeController.vote()`
Summary
The functions voteDirection() in BaseGauge.sol and vote() in GaugeController.sol incorrectly use balanceOf() instead of getVotingPower(). Since balanceOf() does not account for decaying voting power, this results in outdated and inflated governance influence, allowing users to vote with more weight than they actually should have. This affects governance fairness in generality.
Vulnerability Details
In BaseGauge.voteDirection(),
votingPower is assigned user's veRAACToken balanceOf(), which is point.bias (i.e. the minted veTokens) typically assigned on the first lock() unless otherwise adjusted later via increase() or extend().
Understandably, a user's initial voting power will decay linearly to 0 at unlock time. The above flaw would mean, a user whose lock period was already over could still vote on direction skipping the if (votingPower == 0) check.
Evidently, the same issue also surfaces in GaugeController.vote():
Impact
Users can exert more influence than they should, unfairly skewing votes.
The fundamental mechanism of decaying voting power becomes useless.
Long-term inactive token holders retain full power, reducing governance fairness.
Attackers could stockpile tokens, never extend the lock, and maintain full voting influence forever as long as they do not call
withdraw()to burn their veToken balance.
Tools Used
Manual
Recommendations
Consider making the following fix:
Lead Judging Commences
BaseGauge::_applyBoost, GaugeController::vote, BoostController::calculateBoost use balanceOf() instead of getVotingPower() for vote-escrow tokens, negating time-decay mechanism
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.