Users Can Delegate More Boost Than Owned by Splitting Across Unique Addresses
Summary
The delegateBoost function allows users to delegate more boost than their actual veToken balance by delegating to multiple unique addresses. This occurs because the function only checks for an active delegation to a specific address (to) and does not track the cumulative amount of boost delegated across all addresses in respect to user Balance of vTokens. As a result, users can split their boost across multiple recipients effectively over-delegating beyond their actual balance.
Vulnerability Details
The delegateBoost function includes the following checks:
This ensures that a user cannot delegate more than once to the same address (to) at the same time. However, it does not prevent the user from delegating to multiple unique addresses.
The function also includes a balance check:
This ensures that the user has sufficient veToken balance for the current delegation. However, it does not account for cumulative delegations across multiple addresses.
A user can delegate their boost to multiple unique addresses, each time passing the userBalance < amount revert check, as long as the individual amount does not exceed their balance.
This allows the user to delegate more boost than their actual veToken balance by splitting it across multiple recipients.
Impact
Users can over-delegate their boost gaining unfair advantages in reward distribution
Tools Used
Manual code Review
Recommendations
Introduce a Boolean flag to enforce a Single Active Delegation Per User mapping(address => bool) public hasDelegated
Lead Judging Commences
BoostController::delegateBoost lacks total delegation tracking, allowing users to delegate the same veTokens multiple times to different pools for amplified influence and rewards
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.