Core Contracts

The `updateUserBoost()` function in the `BoostController.sol` is intended to update a user's boost value based on their current veToken balance. However, it incorrectly uses a constant base amount `(10000)` when calling `_calculateBoost(user, pool, 10000)` instead of using the actual `veToken` balance of the user. This may allow new users to receive a boost even without depositing any veToken.

​

In the function, the new boost is calculated with the following line:

​

uint256 newBoost = _calculateBoost(user, pool, 10000); // Base amount

Here, `10000` is used as a hardcoded base amount rather than reflecting the user's current veToken balance. As a result, even if a user has not deposited any veToken, they may still receive a nonzero boost value, which deviates from the intended design of basing boosts on actual veToken holdings.

​

​

Consider a scenario where a new user, who has not deposited any veToken, calls the boost update function. Because the function uses a static value of `10000` as the base for boost calculation, the user ends up receiving a boost value determined solely by that constant. This results in a nonzero boost even though the user has zero veToken balance, demonstrating the flaw in the calculation.

​

Unfair Reward Distribution: Users without any veToken deposit could receive undeserved boost benefits, potentially inflating their weight and rewards.

Incentive Misalignment: The mechanism for rewarding long-term participation through veToken deposits is undermined if new users can obtain a boost without any commitment.

Economic Discrepancies: The inaccurate boost calculations can lead to distortions in the overall reward or fee distribution, affecting protocol economics.

​

Use Actual veToken Balance: Refactor the function to pass the user's current veToken balance to _calculateBoost(), ensuring the boost accurately reflects the user's stake. For example:

​

uint256 veTokenBalance = _getVeTokenBalance(user); // Retrieve actual veToken balance

uint256 newBoost = _calculateBoost(user, pool, veTokenBalance);

Review Boost Logic: Verify that `_calculateBoost()` correctly applies the boost factor relative to the user's veToken balance and the intended protocol parameters.

​

Implement Unit Tests: Create tests to cover scenarios with zero, partial, and maximum veToken balances to ensure that boost values are computed as expected.

​