Submission Details
Severity:
Wrong voting power used in `BaseGauge#voteDirection()`
Vulnerability Details
From documentation, function voteDirection()will use voting power of user to vote:
function voteDirection(uint256 direction) public whenNotPaused updateReward(msg.sender) {
if (direction > 10000) revert InvalidWeight();
@> uint256 votingPower = IERC20(IGaugeController(controller).veRAACToken()).balanceOf(msg.sender);
if (votingPower == 0) revert NoVotingPower();
totalVotes = processVote(
userVotes[msg.sender],
direction,
votingPower,
totalVotes
);
emit DirectionVoted(msg.sender, direction, votingPower);
}
But in veRAACToken, voting power will be reduced to 0 when the time passed to unlock time. When the lock is expired, voting power will become 0, but their veRAACToken will keep the same, which make them still have same power when the lock is expired. In the veRAACToken, function getVotingPower()should be used because it return current power of user:
function getVotingPower(address account) public view returns (uint256) {
return _votingState.getCurrentPower(account, block.timestamp);
}
Impact
User still have voting power even when the lock is expired
Recommendations
Using getVotingPower()function instead of balance of caller.
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
BaseGauge::_applyBoost, GaugeController::vote, BoostController::calculateBoost use balanceOf() instead of getVotingPower() for vote-escrow tokens, negating time-decay mechanism
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.