BoostController::delegateBoost does not take into account delegated amount and allows to delegate more amount than the user owns
Summary
User can delegate boost of amount equal to the user's veRAACToken balance to several users. This leads to total boost amount exceeding the user's veRAACToken token balance.
Vulnerability Details
Function BoostController::delegateBoost checks that the delegation to to address does not exist. However, it does not check how much the user has already delegated to other users. This allows the scenario below:
User has
veRAACTokenbalance of 1000The user delegates 1000 to user B
The user delegates 1000 to user C
Now the user has delegated 2000, although the user's balance is only 1000
Impact
User can make total boost greater than it must be.
Tools Used
Manual review
Recommendations
Consider to count already delegated amount and check that users do not exceed their balance when delegate.
Lead Judging Commences
BoostController::delegateBoost lacks total delegation tracking, allowing users to delegate the same veTokens multiple times to different pools for amplified influence and rewards
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.