Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Hardcoded Max Boost Limit Causes Incorrect Reward Calculations

fromeo_016

Summary

The _calculateBoost function in the BoostController contract calculates a user’s boosted rewards based on their veToken balance. However, it contains an issue where the maximum boost amount is determined using a hardcoded constant (MAX_BOOST) rather than the dynamically set boostState.maxBoost. This inconsistency can lead to incorrect boost calculations, potentially affecting reward distribution and user incentives.

Vulnerability Details

Affected Code

uint256 maxBoostAmount = amount * MAX_BOOST / 10000; // Hardcoded value

if (boostedAmount > maxBoostAmount) {

return maxBoostAmount;

}

and

/**

* @notice Calculates the current boost multiplier for a user in a pool

* @param user Address of the user

* @param pool Address of the pool

* @return Current boost multiplier in basis points (1e4)

function getBoostMultiplier(

address user,

address pool

) external view override returns (uint256) {

if (!supportedPools[pool]) revert PoolNotSupported();

UserBoost storage userBoost = userBoosts[user][pool];

if (userBoost.amount == 0) return MIN_BOOST;

// Calculate actual boost multiplier in basis points

@> uint256 baseAmount = userBoost.amount * 10000 / MAX_BOOST;

return userBoost.amount * 10000 / baseAmount;

}

Issue: The function uses MAX_BOOST instead of boostState.maxBoost, which means that if the maximum boost percentage is updated in the setBoostParameters, this function will not reflect the new value.
Potential Consequence:
- Users could receive a lower boost than intended if boostState.maxBoost is increased.
- If boostState.maxBoost is decreased, some users might receive an unfairly high boost, leading to unfair rewards distribution.

Impact

Incorrect Reward Distribution: Users may not receive the correct boost, leading to losses in incentives or excessive rewards for some users.

Tools Used

Manual Review

Recommendations

Use boostState.maxBoost Instead of MAX_BOOST

Modify the code to dynamically use boostState.maxBoost:
uint256 maxBoostAmount = amount * boostState.maxBoost / 10000;
// This ensures that the correct maximum boost is always applied.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!