Submission Details
Severity:
Lack of Access Control in BoostController.updateUserBoost() Allows Unauthorized Boost Modifications
Description
There are no checks to validate who can update boosts for whom and for which pools. As a result, anybody can call the updateUserBoost() function to update the boost for any user address in any pool.
// https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/governance/boost/BoostController.sol#L177-L203
function updateUserBoost(
address user,
address pool
) external override nonReentrant whenNotPaused { ... }
Recommendation
Ensure that only authorized parties (e.g., the user themselves or accounts with a specific role like MANAGER_ROLE) can update boosts for users and for the correct pools
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
BoostController::updateUserBoost lacks caller validation, allowing anyone to force delegation of any user's boost to any pool without consent, hijacking voting power
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
BoostController::updateUserBoost lacks caller validation, allowing anyone to force delegation of any user's boost to any pool without consent, hijacking voting power
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.