Incorrect Total Weight Calculation
Summary
The updateTotalWeight function computes the total weight using the BoostController’s own veToken lock position (i.e., veToken.getLockPosition(address(this)).amount). This means it is considering the controller contract's locked tokens rather than the aggregated voting power or boost weight from all users.
Vulnerability Details
The function is mistakenly referencing address(this) instead of aggregating or retrieving the intended global voting power or weight that should be derived from user contributions.
Suppose the BoostController contract holds a lock of 1,000 tokens, but the total effective voting power from users is 10,000 tokens. If the calculation uses the 1,000 tokens from the contract, then parameters like totalWeight and totalVotingPower are underreported by a factor of 10, leading to inflated boost multipliers for users relative to the proper base.
Impact
If the contract itself holds tokens, the total weight used in boost calculations becomes skewed. This inaccurate total weight can lead to erroneous boost multipliers, ultimately resulting in disproportionate reward allocations and undermining the fairness of the boost mechanism.
Recommendations
Revise updateTotalWeight so that it accurately aggregates the total voting power or boost weight from the user base. This might involve iterating over user states (or using a stored running total) rather than using veToken.getLockPosition(address(this)) or using a global variable to track totalWeight and totalVotingPower.
Lead Judging Commences
BoostController::updateTotalWeight queries its own nonexistent lock position and voting power when calculating boosts, resulting in zero values that break all boost calculations
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.