Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Hardcoded Boost Cap Overrides Adjustable Parameters

Deleted user

Summary

The BoostController.sol contract contains a critical vulnerability where the _calculateBoost function enforces a hardcoded boost cap through MAX_BOOST, overriding the configurable parameters set via governance.

Vulnerable Code

function _calculateBoost(address user, address pool, uint256 amount) internal view returns (uint256) {
// ...existing code...
// VULNERABILITY: Hardcoded MAX_BOOST ignores boostState.maxBoost
uint256 maxBoostAmount = amount * MAX_BOOST / 10000; // Always uses 25000 (2.5x)
if (boostedAmount > maxBoostAmount) {
return maxBoostAmount; // Caps at hardcoded value
}
return boostedAmount;
}
// Governance function rendered partially ineffective
function setBoostParameters(
uint256 maxBoost,
uint256 minBoost,
uint256 boostWindow
) external onlyRole(MANAGER_ROLE) {
if (maxBoost < minBoost) revert InvalidBoostAmount();
if (maxBoost > 50000) revert MaxBoostExceeded(); // Allows up to 5x
// ...existing code...
boostState.maxBoost = maxBoost; // Value not respected in _calculateBoost
}

Impact Analysis

  1. Parameter Override

// Example scenario
boostState.maxBoost = 40000; // Set to 4x via governance
amount = 1000e18;
// Actual calculation
maxBoostAmount = 1000e18 * 25000 / 10000; // Capped at 2.5x
// = 2500e18 instead of expected 4000e18

  1. Economic Impact

  • Users receive 40% less boost than governance intended

  • Protocol loses competitive advantage

  • Staking incentives reduced

  1. Governance Implications

  • Manager role authority undermined

  • Protocol flexibility limited

  • Documentation contradictions

Proof of Concept

contract BoostOverrideTest {
BoostController controller;
function testBoostOverride() public {
// Setup
controller.setBoostParameters(40000, 10000, 7 days); // 4x max boost
// Test boost calculation
uint256 baseAmount = 1000e18;
(uint256 basisPoints, uint256 boosted) = controller.calculateBoost(
user,
pool,
baseAmount
);
// Verify cap at 2.5x despite 4x setting
assert(boosted <= baseAmount * 25000 / 10000); // Always true
assert(boosted < baseAmount * 40000 / 10000); // Shows limitation
}
}

Recommended Mitigation

contract BoostController {
// Remove hardcoded constant
// uint256 public constant MAX_BOOST = 25000; // REMOVE
function _calculateBoost(
address user,
address pool,
uint256 amount
) internal view returns (uint256) {
// ...existing code...
// Use configured parameter instead of constant
uint256 maxBoostAmount = amount * boostState.maxBoost / 10000;
if (boostedAmount > maxBoostAmount) {
return maxBoostAmount;
}
return boostedAmount;
}
// Add events for parameter changes
event MaxBoostUpdated(
uint256 oldMaxBoost,
uint256 newMaxBoost,
address indexed governor
);
}

Additional Recommendations

  1. Parameter Validation:

function setBoostParameters(
uint256 maxBoost,
uint256 minBoost,
uint256 boostWindow
) external onlyRole(MANAGER_ROLE) {
require(maxBoost >= MIN_PROTOCOL_BOOST, "Below min protocol boost");
require(maxBoost <= MAX_PROTOCOL_BOOST, "Exceeds max protocol boost");
// ...existing code...
}

  1. Timelock for Parameter Changes:

struct PendingBoostParams {
uint256 maxBoost;
uint256 minBoost;
uint256 boostWindow;
uint256 effectiveTime;
}
PendingBoostParams public pendingParams;
uint256 public constant PARAM_TIMELOCK = 2 days;

  1. Emergency Controls:

modifier whenBoostActive {
require(!boostPaused, "Boost system paused");
_;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!