Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Missing crucial check for minboost and maxboost.

akioniace

Summary

BaseGauge::setBoostParameters function set the maxBoost and minBoost by the onlyController when we can see it doesn't check the if the maxBoost > minBoost or minBoost < maxBoost

Vulnerability Details

RAACGauge and RWAGauge inherits the BaseGauge and deploys contract and it provides the maxBoost and minBoost for BoostCalculation [BaseGauge::_applyBoost()](https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/governance/gauges/BaseGauge.sol#L246) but this calculation will only possible if the [maxBoost value greater than minBoost](https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/libraries/governance/BoostCalculator.sol#L89).

Where minBoost should be lower than maxBoost. When user create checkpoint for reward Calculation SLOC#599-604 , stake SLOC#257-267, withdraw SLOC#269-280 or try to claim reward with getReward SLOC#323-347 it will first execute the updateReward(msg.sender) helps in user to Update reward state for an account state.reward is calculate for user to get users current weight including boost SLOC#584, SLOC#594.

This function _applyBoost() will use the minBoost and maxBoost value stored by the controller in the contract using this BaseGauge::setBoostParameters SLOC#535-543.

// File: contracts/core/governance/gauges/BaseGauge.sol
function setBoostParameters(
uint256 _maxBoost,
uint256 _minBoost,
uint256 _boostWindow
) external onlyController {
boostState.maxBoost = _maxBoost;
boostState.minBoost = _minBoost;
boostState.boostWindow = _boostWindow;
}

and will calculate the Boost With Provided Params set in the function call of the _calculateBoost() SLOC#246

// File: contracts/core/governance/gauges/BaseGauge.sol
// Create BoostParameters struct from boostState
BoostCalculator.BoostParameters memory params = BoostCalculator.BoostParameters({
maxBoost: boostState.maxBoost,
minBoost: boostState.minBoost,
boostWindow: boostState.boostWindow,
totalWeight: boostState.totalWeight,
totalVotingPower: boostState.totalVotingPower,
votingPower: boostState.votingPower
});
uint256 boost = BoostCalculator.calculateBoost(
veBalance,
totalVeSupply,
params
);

After that BoostCalculator::calculateBoost does this calculation SLOC#89.

// File: contracts/core/governance/gauges/BaseGauge.sol
uint256 boostRange = params.maxBoost - params.minBoost; // <@ POC here

in our case lets say maxboost: 25000 and minBoost: 30000, contract is deployed with version ^0.8.19 this already checks for the underflow and overflow value in contract and revert. boostRange value will lead to underflow and calculation fails. Reward can't be calculated due constantly failing of the function.

BaseGauge::setBoostParameters does not check for the maxBoost is greater than the minBoost leading underflow on the Calcuation of the Boost. this function does not verify that min is less than max, which should be a strongly held invariant.

Impact

The lack of validation for minBoost < maxBoost can cause incorrect calculations, potentially leading to underflows or unexpected results. It breaks the assumption that minBoost should always be less than maxBoost, leading to logical errors.

Tools Used

  • Manual Review

Recommended Mitigation

Consider adding a check that _minBoost < _maxBoost in BaseGauge::setBoostParameters.

function setBoostParameters(
uint256 _maxBoost,
uint256 _minBoost,
uint256 _boostWindow
) external onlyController {
+ require(_minBoost < _maxBoost);
boostState.maxBoost = _maxBoost;
boostState.minBoost = _minBoost;
boostState.boostWindow = _boostWindow;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Appeal created

akioniace Submitter
7 months ago
inallhonesty Lead Judge
7 months ago
inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!