Expired boost can be re-delegated
Summary
Expired boost delegations or near expired boost can be re-delegated
Vulnerability Details
delegateBoost falis to ensure that the boost that is being delegated is infact a valid delegation not expired as no checks are done for the expiry of the delegation this open an opportunity for an malicious actor to delegate expired boost and which will be extended by delegation.expiry = block.timestamp + duration;
Impact
Malicious actor can delegate their boost and make it brand new leading to the unfair advantages and gaining boost which should not be applicable.
This will effect reward distributions and calculations
Recommendations
Impose a require statement that ensure the check that expired boost can't be redelegated and make the transaction revert.
Lead Judging Commences
BoostController delegations remain valid even when users withdraw their veRAAC tokens, allowing boost "double-spending" and undermining the economic model requiring locked tokens
BoostController delegations remain valid even when users withdraw their veRAAC tokens, allowing boost "double-spending" and undermining the economic model requiring locked tokens
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.