Gauge weights can be manipulated due to using current voting power instead of historical power when updating votes
Summary
The GaugeController's vote update mechanism incorrectly uses the user's current voting power to remove old votes instead of the historical voting power from when the vote was cast, allowing manipulation of gauge weights.
Vulnerability Details
In the GaugeController contract, the gauge weight update calculation uses current voting power for both adding and removing votes:
Example Scenario:
-
User votes with 500 voting power at 60% weight
Contributes: (6000 * 500) / 10000 = 300 to gauge weight
-
User's voting power increases to 1000
When updating vote, code removes: (6000 * 1000) / 10000 = 600
Removes 600 when only 300 was added!
Impact
Gauge weights can be manipulated by changing voting power between votes and could lead to incorrect gauge weight calculations and reward distributions.
Tools Used
Manual Review
Recommendation
Store each user's voting power at the time of voting and use this historical value when removing votes, while using current voting power only for new vote additions.
Lead Judging Commences
GaugeController::_updateGaugeWeight uses current voting power for both old and new vote calculations, causing underflows when voting power increases and incorrect gauge weights
GaugeController::_updateGaugeWeight uses current voting power for both old and new vote calculations, causing underflows when voting power increases and incorrect gauge weights
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.