the _applyBoost will always return incorrect boost, because of the _getBaseWeight() in BaseGauge.sol
Summary
The function _getBaseWeight will return the weight of the gauge not the weight of the user for the gauge.
As we can see the account variable is never used.
Vulnerability Details
The base weight passed to _applyBoost comes from _getBaseWeight, which only returns a gauge-level value (obtained from IGaugeController(controller).getGaugeWeight(address(this))). This means that the boost is applied to the same base weight for every user, regardless of their individual stake.
Impact
All users would have the same “base” value applied to their boost, regardless of the amount they’ve staked.
This means that a user with a small deposit but a high boost multiplier (from locking a lot of veTokens) could receive a large effective weight relative to someone who staked a larger amount but has a lower boost.
Tools Used
Recommendations
_getBaseWeight should return the weight of the user
Lead Judging Commences
BaseGauge._getBaseWeight ignores account parameter and returns gauge's total weight, allowing users to claim rewards from gauges they never voted for or staked in
BaseGauge._getBaseWeight ignores account parameter and returns gauge's total weight, allowing users to claim rewards from gauges they never voted for or staked in
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.