Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Incorrect check in setBoostParameters

biakia

Summary

The setBoostParameters function in the BoostController contract allows the maxBoost parameter to be set up to 50000, while the MAX_BOOST constant is defined as 25000. This inconsistency creates a discrepancy between the contract's constant value and the allowed range for maxBoost, potentially leading to confusion, unintended behavior, or vulnerabilities in the boost calculation logic.

Vulnerability Details

MAX_BOOST is defined as 25000 in the BoostController contract

/// @notice Maximum boost multiplier (2.5x) in basis points

uint256 public constant MAX_BOOST = 25000;

However, the setBoostParameters function allows the maxBoost parameter to be set up to 50000

function setBoostParameters(

uint256 maxBoost,

uint256 minBoost,

uint256 boostWindow

) external onlyRole(MANAGER_ROLE) {

if (maxBoost < minBoost) revert InvalidBoostAmount();

if (maxBoost > 50000) revert MaxBoostExceeded(); // Max 5x absolute limit

...

The MAX_BOOST constant suggests that the maximum boost multiplier is 2.5x, but setBoostParameters allows it to be set up to 5x. This inconsistency can lead to confusion for developers and users.

Impact

If maxBoost is set to a value higher than MAX_BOOST, it may conflict with other parts of the contract that rely on the MAX_BOOST constant.

The impact is Low, the likelihood is High, so the severity is Low.

Tools Used

Manual Review

Recommendations

To resolve this inconsistency, the setBoostParameters function should enforce the same maximum value as the MAX_BOOST constant. Here is the updated code:

function setBoostParameters(

uint256 maxBoost,

uint256 minBoost,

uint256 boostWindow

) external onlyRole(MANAGER_ROLE) {

if (minBoost < MIN_BOOST) revert InvalidBoostAmount();

if (maxBoost < minBoost) revert InvalidBoostAmount();

if (maxBoost > MAX_BOOST) revert MaxBoostExceeded(); // Use MAX_BOOST instead of 50000

if (boostWindow < 1 days || boostWindow > 30 days) revert InvalidDelegationDuration();

boostState.maxBoost = maxBoost;

boostState.minBoost = minBoost;

boostState.boostWindow = boostWindow;

emit BoostParametersUpdated(maxBoost, minBoost, boostWindow);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 2 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.