Incorrect Boost Multiplier Calculation
Summary
An issue was identified in the getBoostMultiplier function where the calculation always returns MAX_BOOST if userBoost.amount > 0. The formula used incorrectly divides the amount by itself, leading to a constant return value.
Vulnerability Details
Affected Line:
Issue: The baseAmount calculation does not properly normalize the boost multiplier, causing the return value to always equal MAX_BOOST whenever userBoost.amount is greater than zero.
Impact
Users will always see the maximum boost multiplier, regardless of their actual boost calculation.
This can lead to inaccurate reward distribution and unfair advantages.
Users may be misled about their true boost status, impacting their decisions regarding staking or participation.
Tools Used
Manual code review
Solidity static analysis
Recommendations
The calculation should be revised to correctly determine the boost multiplier based on actual user data.
Lead Judging Commences
BoostController::getBoostMultiplier always returns MAX_BOOST for any non-zero boost due to mathematical calculation error, defeating the incentive mechanism
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.