Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

The delegateBoost function in the BoostController contract does not check whether the to address is a supported pool

biakia

Summary

The delegateBoost function in the BoostController contract lacks a critical validation step: it does not check whether the to address (representing the pool) is a supported pool. This oversight could allow users to delegate boosts to unsupported pools, leading to inconsistencies in the contract's state and potential vulnerabilities in the boost management system.

Vulnerability Details

The delegateBoost function only checks that the to address is not the zero address:

function delegateBoost(
address to,
uint256 amount,
uint256 duration
) external override nonReentrant {
if (paused()) revert EmergencyPaused();
if (to == address(0)) revert InvalidPool();
if (amount == 0) revert InvalidBoostAmount();
if (duration < MIN_DELEGATION_DURATION || duration > MAX_DELEGATION_DURATION)
revert InvalidDelegationDuration();
uint256 userBalance = IERC20(address(veToken)).balanceOf(msg.sender);
if (userBalance < amount) revert InsufficientVeBalance();
UserBoost storage delegation = userBoosts[msg.sender][to];
if (delegation.amount > 0) revert BoostAlreadyDelegated();
delegation.amount = amount;
delegation.expiry = block.timestamp + duration;
delegation.delegatedTo = to;
delegation.lastUpdateTime = block.timestamp;
emit BoostDelegated(msg.sender, to, amount, duration);
}

The function does not verify whether the to address is a supported pool by checking the supportedPools mapping. This means that users can delegate boosts to any address, including unsupported pools.

Impact

  • Inconsistent State: Boosts may be delegated to pools that are not intended to receive boosts, causing inconsistencies in the contract's state.

  • Wasted Gas: Users may waste gas by delegating boosts to unsupported pools, as these boosts will not be utilized.

  • Potential Exploits: Malicious actors could exploit this oversight to manipulate the contract's state or disrupt its functionality.

The impact is Low, the likelihood is Medium, so the severity is Low.

Tools Used

Manual Review

Recommendations

To address this issue, the delegateBoost function should include a validation step to ensure that the to address is a supported pool. Here is the updated code:

function delegateBoost(
address to,
uint256 amount,
uint256 duration
) external override nonReentrant {
if (paused()) revert EmergencyPaused();
if (to == address(0)) revert InvalidPool();
if (!supportedPools[to]) revert PoolNotSupported(); // Add this check
...
...
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BoostController::delegateBoost lacks supported pool validation, allowing delegation to arbitrary addresses

inallhonesty Lead Judge about 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BoostController::delegateBoost lacks supported pool validation, allowing delegation to arbitrary addresses

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.