Core Contracts

Summary

The function updateUserBoost incorrectly assigns the workingSupply of the pool to newBoost, which is the boost amount of a single user. This causes workingSupply to be overwritten incorrectly instead of maintaining a cumulative value across all users in the pool. This results in misleading accounting data for the pool's working supply.

Vulnerability Details

• The workingSupply variable is meant to represent the total effective supply of the pool, including all users' boosts.

• However, in updateUserBoost, it is directly set to newBoost, which only accounts for the boost of the currently updated user.

• This means the previous working supply data is overwritten, likely leading to incorrect calculations in future reward distributions.

• As more users update their boosts, workingSupply will reflect only the latest updated user's boost, not the sum of all users' boosts.

• Since workingSupply is not used for boost calculations, this does not impact reward distribution but leads to incorrect accounting data.

Impact

• Misleading Pool Data: The workingSupply field will not correctly represent the pool's true boosted supply, which could cause confusion in off-chain tracking and analytics.

• Potential UI/Reporting Issues: Any frontend, dashboard, or analytics tool relying on workingSupply may display incorrect pool statistics.

• Operational Inefficiencies: Incorrect tracking could lead to misinterpretations of liquidity and boost distribution, affecting governance or future protocol decisions.

Tools Used

Manual Review

Recommendations

Instead of directly setting workingSupply = newBoost, update it incrementally like totalBoost to reflect cumulative changes.