Working Supply Overwritten Instead of Accumulated
Summary
In the updateUserBoost function, after recalculating a user’s boost, the pool’s working supply is updated by directly assigning the new boost value:
This overwrites any previous boost contributions from other users rather than accumulating them.
Vulnerability Details
The error stems from failing to add the change in boost to the existing pool total. Instead of summing the boosts from all users, the function replaces the working supply with the latest value, neglecting other staked boosts.
Imagine a pool where User A has a boost of 2,000 and User B has a boost of 3,000. The correct working supply should be 5,000. If User B updates their boost and the working supply is simply set to 3,000, then the system underestimates the total boost by 2,000. Consequently, reward calculations based on the working supply will be lower than they should be, causing misallocation of rewards.
Protocol is heavily influenced by the Curve protocol's working mechanisms
Curve Finance’s gauge system addresses similar challenges by calculating each user’s “working balance” using a formula that combines their deposited liquidity with their locked veCRV tokens. Instead of overwriting the global working supply when an individual’s boost changes, Curve incrementally adjusts it by computing the difference (delta) between the new and old working balances. This delta is then added to or subtracted from the total working supply, ensuring that it always accurately reflects the sum of all users’ effective balances. By using this incremental update mechanism, Curve ensures fair reward distribution and prevents any single update from distorting the overall calculations.
Impact
As a result, the pool’s working supply reflects only the last updated user’s boost rather than the combined boost of all users. This misrepresentation can lead to incorrect reward calculations and unfair distribution, calculation is inclined towards latest updates.
Recommendations
Modify the update logic to adjust the pool’s working supply cumulatively. For example, update the working supply by adding the difference between the new and old boost for that user rather than overwriting:
```
if (newBoost >= oldBoost) {
poolBoost.workingSupply += (newBoost - oldBoost); }
else { poolBoost.workingSupply -= (oldBoost - newBoost); }
```
This preserves the contributions of all users.
Lead Judging Commences
BoostController::updateUserBoost overwrites workingSupply with single user's boost value instead of accumulating, breaking reward multipliers and allowing last updater to capture all benefits
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.