Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Incorrect user rewards calculation in RAACGauge and RWAGauge gauges due to missing override of a function

jimpixjed

Summary

The virtual function _getBaseWeight that is part of the BaseGauge contract is not overriden in the RAACGauge and RWAGauge contracts. This would return a bigger value than expected as the default logic is to return the weight of the whole gauge instead of the weight(the staked tokens) for the specified user for the given gauge.

Function in BaseGauge contract:

function _getBaseWeight(address account) internal view virtual returns (uint256) {
//@Audit function is not override in RAACGauge and RWAGauge, this logic in the base returns incorrect value as it
//gets the weight for the whole gauge instead of just the user weight for that gauge
return IGaugeController(controller).getGaugeWeight(address(this));
}

Vulnerability Details

Due to missing override of the _getBaseWeight functionin the RAACGauge and RWAGauge contracts we are not getting the correct user weight for a specific gauge when calling the getUserWeight function. This would mean that the value of the rewards will be way bigger than expected when calculating inside of the earned function, as the total weight for a gauge is way bigger than the weight for a specific user that is staking in a gauge. This will then further cause issues when user tries to call getReward for the gauge as either the balance of the gauge will not be enough to cover this incorrect rewards amount or the user will get more rewards that he/she should be obligated to.

Function affected by incorrect value and that is used to calculate the user rewards in the gauge:

function earned(address account) public view returns (uint256) {
//@Audit getUserWeight will returned a big value because _getBaseWeight is not overriden
return (getUserWeight(account) *
(getRewardPerToken() - userStates[account].rewardPerTokenPaid) / 1e18
) + userStates[account].rewards;
}

Impact

Users will be able to either withdraw more rewards token than they are obligated to or not be able to withdraw rewards at all if calculated rewards amount exceedes the gauge balance of reward tokens.

Tools Used

  • Manual Review

Recommendations

To get accurate user weight for the given gauge we need to override the _getBaseWeight function in the RAACGauge and RWAGauge contracts as so:

function _getBaseWeight(address account) internal view override returns (uint256) {
//This is the actuall weight for the user, depending on how much tokens he/she has staked
return _balances(account);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BaseGauge::earned calculates rewards using getUserWeight instead of staked balances, potentially allowing users to claim rewards by gaining weight without proper reward checkpoint updates

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BaseGauge::earned calculates rewards using getUserWeight instead of staked balances, potentially allowing users to claim rewards by gaining weight without proper reward checkpoint updates

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!