Missing Minimum Vote Weight Check in `GaugeController` Contract
Summary
The GaugeController contract defines a state variable MIN_VOTE_WEIGHT (set to 100, representing a 1% minimum vote). However, the vote function does not enforce this minimum requirement when users cast their votes, allowing vote weights below the intended threshold. This omission can lead to unintended voting behavior and potential manipulation of gauge weight distributions.
Vulnerability Details
-
Affected Function:
function vote(address gauge, uint256 weight) external override whenNotPaused {if (!isGauge(gauge)) revert GaugeNotFound();if (weight > WEIGHT_PRECISION) revert InvalidWeight();uint256 votingPower = veRAACToken.balanceOf(msg.sender);if (votingPower == 0) revert NoVotingPower();//@audit-issue not checking for MIN_VOTE_WEIGHTuint256 oldWeight = userGaugeVotes[msg.sender][gauge];userGaugeVotes[msg.sender][gauge] = weight;_updateGaugeWeight(gauge, oldWeight, weight, votingPower);emit WeightUpdated(gauge, oldWeight, weight);} -
Issue:
The function lacks a check to ensure that theweightprovided by the user meets or exceeds the minimum vote weight defined byMIN_VOTE_WEIGHT(which is 100). As a result, users can submit votes with a weight lower than the intended minimum, potentially affecting the fairness and accuracy of gauge weight calculations.
Impact
Inaccurate Gauge Weight Distribution:
Allowing vote weights below the minimum threshold can lead to gauge weight distributions that do not reflect the intended voting power, potentially skewing reward allocations.Potential Manipulation:
Malicious users might exploit the absence of this check to cast multiple minimal votes, diluting the influence of legitimate votes and potentially manipulating gauge weights.
Tools Used
Manual Code Review
Recommendations
-
Implement Minimum Vote Weight Check:
Add a condition in thevotefunction to ensure that the vote weight is at leastMIN_VOTE_WEIGHT. For example:if (weight < MIN_VOTE_WEIGHT) revert InvalidWeight(); // Or a dedicated error for insufficient vote weight
Lead Judging Commences
GaugeController::vote lacks minimum weight validation, allowing votes below MIN_VOTE_WEIGHT (1%) despite documentation stating otherwise
GaugeController::vote lacks minimum weight validation, allowing votes below MIN_VOTE_WEIGHT (1%) despite documentation stating otherwise
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.