User can delegate boost with holding no veRAAC tokens for the whole delegation duration
Summary
User can delegate boost with holding no veRAAC tokens for the whole delegation duration.
Vulnerability Details
When a user delegates boot to another address, protocol updates the delegation's expiry is set.
BoostController::delegateBoost()
However, protocol does not check the expiry against the unlock time of user's lock position. A malicious user delegates by using veRAAC token balance minted from an expired lock, then immediately withdraw from veRAACToken and get the veRAAC tokens burned, as a result, the user delegates for a period without holding any veRAAC tokens.
Impact
User delegates without holding veRAAC tokens during the delegation period.
Tools Used
Manual Review
Recommendations
When a user delegates, should check the delegation's exipry date against the user's lock unlock time.
Lead Judging Commences
BoostController delegations remain valid even when users withdraw their veRAAC tokens, allowing boost "double-spending" and undermining the economic model requiring locked tokens
BoostController delegations remain valid even when users withdraw their veRAAC tokens, allowing boost "double-spending" and undermining the economic model requiring locked tokens
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.