Core Contracts

Summary

The getBoostMultiplier function in the BoostController contract is intended to return the current boost multiplier for a user in a specific pool. However, due to an incorrect calculation, the function always returns MAX_BOOST, leading to inaccurate boost multipliers.

Vulnerability Details

Affected Function:

Root Cause:

1. The variable baseAmount is calculated as:

   uint256 baseAmount = userBoost.amount * 10000 / MAX_BOOST;

   ​

   This intends to normalize the boost amount, but in most cases, baseAmount is a fraction of MAX_BOOST, leading to an incorrect divisor in the next calculation.

2. The final return statement performs the following calculation:

   return userBoost.amount * 10000 / baseAmount;

   ​

   • Since baseAmount is already a fraction of MAX_BOOST, this operation effectively cancels out the normalization and always results in MAX_BOOST (25000 basis points), regardless of the actual boost amount.

Calculation Breakdown:

Let's assume a scenario where userBoost.amount = 10000:

Why Does it Always Return MAX_BOOST (25000)?

• The baseAmount formula effectively cancels out userBoost.amount, leaving just MAX_BOOST (25000).

• Regardless of userBoost.amount, the function always results in 25000.

Impact

• Users always receive MAX_BOOST as the multiplier, even if their actual boost amount is lower.

• This miscalculation leads to incorrect rewards distribution in protocols that depend on the boost multiplier.

Tools Used

• Manual code review

Recommendations

1. Correct the boost multiplier calculation to ensure it accurately reflects the user’s boost amount. The intended calculation might be:

   return MIN_BOOST + (userBoost.amount * (MAX_BOOST - MIN_BOOST) / MAX_BOOST);